zorrox last edited by
I got this in my firewall event logs:
2011-10-06 14:42:49 alert IP spoofing! From 10.16.44.11:46767 to 126.96.36.199:6667, proto TCP (zone WebHosting, int ethernet2/1.1). Occurred 1 times.
2011-10-06 14:42:49 alert IP spoofing! From 188.8.131.52:2506 to 184.108.40.206:514, proto UDP (zone Untrust, int redundant1). Occurred 1 times.
How does the firewall define spoofing in the logs above?
I see that both IP 10.16.44.11 and 220.127.116.11 are in zone WebHosting, int ethernet2/1.1 and Untrust, int redundant1 respectively, so how do I know which interface the spoofing comes from? and to which zone/interface it is going to?
Is the firewall blocking the spoofing traffic? How can I trace from which host it comes from?