Prevent / blackhole ICMP outbound

WinGate Proxy Server and other Qbik products

Switch to full style
Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems
Post a reply
markt
  • markt
  • Posts: 56
  • Joined: Oct 08 03 3:34 am

Prevent / blackhole ICMP outbound

Jan 17 04 2:03 am

Is there a way to prevent ICMP packets from leaving wingate, or to blackhole packets to IP addresses/range?

A fellow user of the same ISP is complaining that they
are receiving 'lots' of ICMP type 8 (ping) dropped packets at their
firewall, seemingly from the external interface of my Wingate box.

Confusingly the target of these packets is an IP address they use internally - I am therefore trying to disprove their claim - how can a non routable IP address (192.168....) be pinged from my public IP??
They claim to have spoof protection.

Any advice greatly received.

Mark.
Pascal
  • Pascal
  • Posts: 2623
  • Joined: Sep 08 03 8:19 pm
  • Location: Auckland, New Zealand
  • Website

Re: Prevent / blackhole ICMP outbound

Jan 17 04 7:05 am

markt wrote:A fellow user of the same ISP is complaining that they
are receiving 'lots' of ICMP type 8 (ping) dropped packets at their
firewall, seemingly from the external interface of my Wingate box.


You are not connected via a VPN, by any chance ? (Like the WinGate VPN ?)

markt wrote:Confusingly the target of these packets is an IP address they use internally - I am therefore trying to disprove their claim - how


Which version of WinGate are you currently running ? Versions prior to 5.1 / 5.2 (I think) had an issue with pinging and cascaded proxy servers, but that doesn't sound like it could be your case 100%.
markt
  • markt
  • Posts: 56
  • Joined: Oct 08 03 3:34 am

Jan 20 04 12:14 am

Thanks for the reply Pascal,

We are not using a VPN of any, not do we have any links
(logical or business) with this third party - they called out of the
blue to complain.

Wingate is 5.22, running on W2k pro with an ADSL public connection.

I still have my doubts that we are the cause...

Mark
neil
  • neil
  • Posts: 356
  • Joined: Sep 03 03 2:42 pm
  • Location: Auckland
  • Website

Jan 20 04 11:57 am

I'm not convinced that it is WinGate's Fault either. Would it be possible for you to perform a packet capture onyour external interface? You can do this using applications such as our product NetPatrol, or 3rd party ones such as Tamsoft's CommView. You only need to capture ICMP packets. If you could then email the file to me (neil@qbik)we could see if / why these packets are going out. Also do you see many ICMP hits in your WinGate firewall, and from any particular IP's / IP ranges?!

Regards

Neil
neil
  • neil
  • Posts: 356
  • Joined: Sep 03 03 2:42 pm
  • Location: Auckland
  • Website

Jan 21 04 5:21 pm

Thanks for the log file. Just a couple of other questions. From the look of the end of that NAT log, it seems that someone on your external subnet is doing a scan, as the source IP's are sequential (and no doubt spoofed). You don't have any kinda of scanning software on you gateway machine do you?! What else is installed on the WinGate machine? When you send in the packet capture could you also send in the list of processes you have running on this machine? Either a screen capture or a print to file of your process list would be good.

Regards

Neil
Post a reply
Switch to full style

Powered by phpBB © phpBB Group.

phpBB Mobile / SEO by Artodia.

Board index