strange firewall behaviour
Andreas Schweighofer
to the internet through a linux-firewall and the other net is
connected to the internet over a fortigate-firewall (fortigate 50 or
fortigate 60).
I administrate the linux-firewall and I have no rights on the
fortigate-firewall, I even don't know which model it is exactly -
the only think I know is the mac-address and the price - therefore
I think its a fortigate 50 or 60.
But I see some strange thinks in the log-file of my linux-firewall
coming from the fortigate-box.
Both machines - my linux-firewall and the fortigate-box are
in the same public net.
For example my linux-box has the IP-Address 190.30.30.5
in the net 190.30.30.0/24 and the fortigate-box has 190.30.30.6.
So I can see osi2 and osi3 broadcasts.
(The Ip-Addresses are examples and not the real ones).
I see a large amounts of arp-requests coming
from this fortigate machine:
arp who-has 217.12.10.99 tell 190.30.30.6
arp who-has 193.80.200.160 tell 190.30.30.6
arp who-has 193.80.200.135 tell 190.30.30.6
arp who-has 12.158.80.10 tell 190.30.30.6
arp who-has 195.128.164.3 tell 190.30.30.6
arp who-has 193.201.52.83 tell 190.30.30.6
arp who-has 195.3.96.71 tell 190.30.30.6
arp who-has 64.12.164.248 tell 190.30.30.6
arp who-has 212.227.40.104 tell 190.30.30.6
arp who-has 62.178.215.241 tell 190.30.30.6
...
strange, isn't it?
the fortigate-box asks for osi2-addresses of machines,
the people behind the firewall try to contact!
What I now whould like to understand:
- I this a feature of the fortigate-box (perhaps because the
box is under heavy load - fortigate 50 & 60 are small business
firewalls and this box has to serve about 40-60 clients)
- Or is this because of misconfiguration?
(perhaps: fortigate has an ethernet-port for inside, outside and
dmz - perhaps they (the admins!) have plugged in the
cable to the wrong port - dmz? and not in the outside port?)
- Has anybody seen the same and knows the reason!
What I else see in my firewall-log are pakets with
source 0.0.0.0 and 255.255.255.255, udp, SPT 68, DPT 67, TTL 128
- okay dhcp-request coming from a windows maschine.
But I also see the mac-address of the asking machine.
(I asked the fortigate admins, if the have a machine
with this mac-address in their inner-net and they said "yes")
I now wonder why the fortigate is routing this packet?
A packet with source 0.0.0.0 and dest 255.255.255.255 - with
the original mac??
What is going on there??
thanks very much for any reply
andi
Michael J. Pelletier
This is strange. Usually you see more firewall-to-default router and local
subnet ARPs. These are strange...Do they have many subnets behind them?
>
> strange, isn't it?
> the fortigate-box asks for osi2-addresses of machines,
> the people behind the firewall try to contact!
>
> What I now whould like to understand:
> - I this a feature of the fortigate-box (perhaps because the
> box is under heavy load - fortigate 50 & 60 are small business
> firewalls and this box has to serve about 40-60 clients)
> - Or is this because of misconfiguration?
> (perhaps: fortigate has an ethernet-port for inside, outside and
> dmz - perhaps they (the admins!) have plugged in the
> cable to the wrong port - dmz? and not in the outside port?)
> - Has anybody seen the same and knows the reason!
>
> What I else see in my firewall-log are pakets with
> source 0.0.0.0 and 255.255.255.255, udp, SPT 68, DPT 67, TTL 128
> - okay dhcp-request coming from a windows maschine.
> But I also see the mac-address of the asking machine.
> (I asked the fortigate admins, if the have a machine
> with this mac-address in their inner-net and they said "yes")
> I now wonder why the fortigate is routing this packet?
> A packet with source 0.0.0.0 and dest 255.255.255.255 - with
> the original mac??
The only way I could think of to explain this is if they are doing a
bridging firewall setup. I have a cable modem and do the same thing with a
FreeBSD fireall. I do this because my static IP is on a different subnet
than my dynamic IP addresses (Static = My server and Dynamic are my
desktops)...So in this setup you will see the DHCP packets with the
original MAC addresses...
Andreas Schweighofer
> This is strange. Usually you see more firewall-to-default router and local
> subnet ARPs. These are strange...Do they have many subnets behind them?
Not many - inside of the fortigate-firewall there are two or three subnets
all using private Ips somewhere in the range of 192.168/16
(and there are about 30-60 clients)
>> What I else see in my firewall-log are pakets with source 0.0.0.0 and
>> 255.255.255.255, udp, SPT 68, DPT 67, TTL 128 - okay dhcp-request
>> coming from a windows maschine. But I also see the mac-address of the
>> asking machine. (I asked the fortigate admins, if the have a machine
>> with this mac-address in their inner-net and they said "yes") I now
>> wonder why the fortigate is routing this packet? A packet with source
>> 0.0.0.0 and dest 255.255.255.255 - with the original mac??
>
> The only way I could think of to explain this is if they are doing a
> bridging firewall setup. I have a cable modem and do the same thing with
> a FreeBSD fireall. I do this because my static IP is on a different
> subnet than my dynamic IP addresses (Static = My server and Dynamic are
> my desktops)...So in this setup you will see the DHCP packets with the
> original MAC addresses...
Did I understand this correctly? - your cable-modem is the dhcp-server
and you have to get the dhcp-communication over your firewall
which comes after the cable-modem?
When the fortigate-admins speak from "their" firewall they always say "it
is a hardware-firewall?"
I don't know what they are understand under a "hardware-firewall".
but perhaps it is also a bridging-firewall and they don't know
how to configure it correctly?
thx
andi