Is there a way to prevent ICMP packets from leaving wingate, or to blackhole packets to IP addresses/range?
A fellow user of the same ISP is complaining that they
are receiving 'lots' of ICMP type 8 (ping) dropped packets at their
firewall, seemingly from the external interface of my Wingate box.
Confusingly the target of these packets is an IP address they use internally - I am therefore trying to disprove their claim - how can a non routable IP address (192.168....) be pinged from my public IP??
They claim to have spoof protection.
Any advice greatly received.
Mark.
Prevent / blackhole ICMP outbound
Moderator: Qbik Staff
5 posts
• Page 1 of 1
Prevent / blackhole ICMP outbound
by markt » Jan 17 04 2:03 am
- markt
- Posts: 56
- Joined: Oct 08 03 3:34 am
Re: Prevent / blackhole ICMP outbound
by Pascal » Jan 17 04 7:05 am
markt wrote:A fellow user of the same ISP is complaining that they
are receiving 'lots' of ICMP type 8 (ping) dropped packets at their
firewall, seemingly from the external interface of my Wingate box.
You are not connected via a VPN, by any chance ? (Like the WinGate VPN ?)
markt wrote:Confusingly the target of these packets is an IP address they use internally - I am therefore trying to disprove their claim - how
Which version of WinGate are you currently running ? Versions prior to 5.1 / 5.2 (I think) had an issue with pinging and cascaded proxy servers, but that doesn't sound like it could be your case 100%.
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by markt » Jan 20 04 12:14 am
Thanks for the reply Pascal,
We are not using a VPN of any, not do we have any links
(logical or business) with this third party - they called out of the
blue to complain.
Wingate is 5.22, running on W2k pro with an ADSL public connection.
I still have my doubts that we are the cause...
Mark
We are not using a VPN of any, not do we have any links
(logical or business) with this third party - they called out of the
blue to complain.
Wingate is 5.22, running on W2k pro with an ADSL public connection.
I still have my doubts that we are the cause...
Mark
- markt
- Posts: 56
- Joined: Oct 08 03 3:34 am
by neil » Jan 20 04 11:57 am
I'm not convinced that it is WinGate's Fault either. Would it be possible for you to perform a packet capture onyour external interface? You can do this using applications such as our product NetPatrol, or 3rd party ones such as Tamsoft's CommView. You only need to capture ICMP packets. If you could then email the file to me (neil@qbik)we could see if / why these packets are going out. Also do you see many ICMP hits in your WinGate firewall, and from any particular IP's / IP ranges?!
Regards
Neil
Regards
Neil
- neil
- Qbik Staff
- Posts: 356
- Joined: Sep 03 03 2:42 pm
- Location: Auckland
by neil » Jan 21 04 5:21 pm
Thanks for the log file. Just a couple of other questions. From the look of the end of that NAT log, it seems that someone on your external subnet is doing a scan, as the source IP's are sequential (and no doubt spoofed). You don't have any kinda of scanning software on you gateway machine do you?! What else is installed on the WinGate machine? When you send in the packet capture could you also send in the list of processes you have running on this machine? Either a screen capture or a print to file of your process list would be good.
Regards
Neil
Regards
Neil
- neil
- Qbik Staff
- Posts: 356
- Joined: Sep 03 03 2:42 pm
- Location: Auckland
5 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 10 guests