So I’m looking in my ISA log files because for the last couple of days my Scorpion Software Firewall dashboard has indicated I’ve been getting ntp attacks from two IP addresses: 192.168.116.1 and 192.168.142.1 and it’s now where I have some time on my hands to figure out what’s going on…. they aren’t getting out …but what are they there? My internal IP address on this network is based on the old SBS 4.x numbering of 10.0.0.x, my home IP range is 192.168.16.x… the 192.168.1.254 is my external nic attached to the router…so WHY do I have two IP addresses attempting to get a time sync and being denied? When I ping them they are unavailable, and an arp -a brings back nothing. Well in chatting with Amy she indicated that the logging I was seeing “0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED” was not hitting a “rule” but rather at the kernel mode. It was labelling them as spoofed as it didn’t see these addresses in my domain.
No kidding…. neither did I… so what are they? So Amy Googled and found that one might be a Vmware network connection and the other Cisco…. Vmware? Hang on .. I have vmware on this workstation but it’s not loaded up… and at the time I had the two nics enabled (I’ve since disabled them)
And sure enough…that was the IP addresses that the nics were assigned in the interface and ISA was just doing was it was supposed to be doing on my internal network and saying “yo, I don’t recognize these, they aren’t on my approved internal IP addresses so I’m blocking them”. Okay so not exactly like that, but you get my meaning.
Sure ’nuff, disabled the nics as I’m not running a vmware on this machine at this time and that was indeed it. Once again, the firewall dashboard stuck something in my face that I don’t think I would have noticed otherwise.
And by the way…. to Amy … Ditto! THANK YOU! for all that you do for the SBS and ISA Community! http://isainsbs.blogspot.com/2007/01/thank-you.html