Hello,
We're using ASL 4.021, 3 NICs, external/LAN/DMZ and just got this on packet filter:

2004-Feb 20 10:02:36 (none) kernel: IP-SPOOFING Drop: IN=eth1 OUT= MAC=00:50:04:61:8f:9c:00:06:2a:a0:14:38:08:00 SRC=192.168.0.23 DST=***.***.***.*** LEN=78 TOS=0x00 PREC=0x00 TTL=118 ID=8073 PROTO=UDP SPT=1028 DPT=137 LEN=58

or, in LiveLog form,

10:02:36 IP-SPOOFING Drop 192.168.0.23 1028 -> ***.***.***.*** 137 UDP IP SPOOFING
SRC HW 00:50:04:61:8f:9c:00
DST HW 06:2a:a0:14:38:08:00

eth1 is our external interface, ***.***.***.*** is the world (WAN) IP on eth1. There is no machine at 129.168.0.23 on the LAN. The MAC address of the eth1 NIC is 00:50:04:61:8F:9C, corresponding to the source MAC address logged. The destination MAC address does not seem familiar.

Despite doc perusing and Googling, it is still not clear to me exactly what has been attempted and what, if any, consequences we should take. I'd be grateful if someone could elucidate. Thanks for reading.

As you can see from log address 192.168.0.23 is comming to eth1.
Spoofing means that to eth1 commes IP which is not in the network of eth1.

And this must be Windows mashine, since it is sending netbios packets.

BR, Matjaz

Hi there,

this mostly happens if you connect multiple interfaces with the same hub or switch.

is that the case?

regards
Gert

Nope,
there *is* a switch on the LAN side, but the only thing going in to it is Astaro's LAN interface; 3 user PCs beyond it. The DMZ interface goes direct to a mail/http server. LAN and DMZ are of course on separate, 'private' subnets, 192.168.0.0 and 192.168.2.0, respectively.