Firewalls: Source routed packets

Firewalls
(May 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Source routed packets
From:	marc @ guardian . co . uk (Marc Lueck)
Date:	Tue, 21 May 1996 13:32:04 +0100
To:	firewalls @ greatcircle . com

First of all, thanks to everyone who replied to my request for definitions
of Proxy firewalling - my presentation went without a hitch and I felt
confident about my content.

However, quite coincidentally, as I was giving my presentation in Amsterdam
last Monday, there was a big scare back at the office that we were being
"hacked" through our firewall!

Here's the scoop, on our INTRERNAL mailhost, we were getting a ton of
messages reading:

messages.Wednesday:May 15 23:46:59 wolfie kernel: ICMP: 129.135.211.100:
Source Route Failed.
messages.Wednesday:May 15 23:48:19 wolfie kernel: ICMP: 129.135.211.100:
Source Route Failed.
messages.Wednesday:May 15 23:48:35 wolfie kernel: ICMP: 129.135.211.101:
Source Route Failed.
messages.Wednesday:May 15 23:48:40 wolfie kernel: ICMP: 129.135.211.101:
Source Route Failed.
messages.Wednesday:May 15 23:48:42 wolfie kernel: ICMP: 129.135.211.100:
Source Route Failed.
messages.Wednesday:May 15 23:48:48 wolfie kernel: ICMP: 129.135.211.100:
Source Route Failed.
messages.Wednesday:May 15 23:48:50 wolfie kernel: ICMP: 129.135.211.101:
Source Route Failed.
messages.Wednesday:May 15 23:49:02 wolfie kernel: ICMP: 129.135.211.100:
Source Route Failed.
messages.Wednesday:May 15 23:49:10 wolfie kernel: ICMP: 129.135.211.101:
Source Route Failed.
messages.Wednesday:May 15 23:49:18 wolfie kernel: ICMP: 129.135.211.100:
Source Route Failed.
messages.Wednesday:May 15 23:49:34 wolfie kernel: ICMP: 129.135.211.101:
Source Route Failed.


And so on and so forth.  What it turns out to have been is that we had a
message queued that was addressed to a certain domain (figure it out
yourself) and our recently upgraded Sendmail was (unbeknownst to us) was
now making DNS requests for every message even though it was not sending
directly!  (It has a smarthost entry).  The long and the short of it is
that this site has probably set up their system in a slightly dodgy way,
and I would appreciate it if

1:  Anyone knows if this can be dangerous.

2:  If firewall software should refuse Source routed packets when they are
being recieved as part of a VALID (at the time) connection.


Thanks,

Marc Lueck
marc @
 guardian .
 co .
 uk

Indexed By Date	Previous:	Re: RE: Firewall performance tests From: Ian Johnstone-Bryden <ianj-b @ dial . pipex . com>
Indexed By Date	Next:	Firewalls & Authentication From: helkot <kotler @ pcta00 . bamimpr . inpr . br>
Indexed By Thread	Previous:	RE: NEWBIE: Q: Intended audience ? -Reply From: sameer @ wiproge . med . ge . com
Indexed By Thread	Next:	Firewalls & Authentication From: helkot <kotler @ pcta00 . bamimpr . inpr . br>