cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Danny
Pearl

One-liner for Address Spoofing Troubleshooting

One-liner (Bash) to show a summary about each interfaces' calculated topology and address spoofing setting.
$FWDIR/state/local/FW1/local.set contains all required information regarding interfaces and their topology.

echo; egrep -B1 $'ifindex|:ipaddr|\(\x22<[0-9]|has_addr_info|:monitor_only|:external' $FWDIR/state/local/FW1/local.set | sed 's/[\x22\t()<>-]//g' | sed '$!N;s/\n:ipaddr6/ IPv6/;P;D' | sed '/IPv6/!s/://g' | sed 's/interface_topology/\tCalculated Interface Topology/g' | sed '0,/ifindex 0/{/ifindex 0/d;}' | sed '/ifindex 0/q' | sed '/spoof\|scan/d' | sed 's/has_addr_info true/\tAddress Spoofing Protection: Enabled/g' | sed 's/has_addr_info false/\tAddress Spoofing Protection: Disabled/g' | sed -e '/Prot/{n;d}' | sed '$!N;s/\nmonitor_only true/ (Detect Mode)/;P;D' | sed '$!N;s/\nmonitor_only false/ (Prevent Mode)/;P;D' | sed '$!N;s/\nexternal false/ - Internal Interface/;P;D' | sed '$!N;s/\nexternal true/ - External Interface/;P;D' | tac | sed '/ifindex 0/I,+2 d' | tac | sed '/ifindex/d' | sed 's/,/ -/g' | sed '$!N;s/\nipaddr/ >/;P;D' | sed '/ - /s/^ /\t/' | egrep -C 9999 --color=auto $'>|IPv6|External|Disabled|Detect'; echo‍‍‍‍‍‍‍‍‍‍

The One-liner is IPv4 and IPv6 compatible, works on clustered and single gateway environments, shows all interface types configured in your firewall object within SmartDashboad, colors specific words of the output for better notification of important settings, adds additional information regarding Address Spoofing setting and mode as well as the topology type of each interface and is of course completely integrated within our ccc script .

Thanks to Tim Hall's preliminary work in this thread.
Thanks to Norbert Bohusch for IPv6 support and testing.
Thanks to @HeikoAnkenbrand for challenging me.

20 Replies

Re: One-liner for Address Spoofing Troubleshooting

Hi Denny,

I built something once.
Depending on the interface, the corresponding networks from the IP spoofing area are displayed.

More see in this article:

Show Address Spoofing Networks via CLI  

First experiment:

ifconfig -a | grep encap | awk '{print $1}' | grep -v lo | grep -v bond | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -ng| uniq'

Second experiment:

ifconfig -a | grep encap | awk '{print $1}' | grep -v lo | grep -v bond | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ '

Final version:

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v bond | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ '

Output:

eth0
   10.0.0.0, 10.255.255.255
   192.168.1.0, 192.168.1.255
eth2
   0.0.0.0, 9.255.255.255
   11.0.0.0, 126.255.255.255
   128.0.0.0, 192.168.41.255
   192.168.202.0, 223.255.255.255
   192.168.43.0, 192.168.200.255
   240.0.0.0, 255.255.255.254
eth3
   192.168.2.0, 192.168.2.255
eth5
   10.172.1.0, 10.172.1.255

Can be formatted even better with AWK,TR,SED.

Best Regards

Heiko

Re: One-liner for Address Spoofing Troubleshooting

With IP and netmask:

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v bond | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;more $FWDIR/state/local/FW1/local.set | grep -A 8 %|grep ip| tr \a\d\r\:\(\) \ ;echo -n " mask    "  ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo " spoofing networks:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ ;echo " "'

More see in this article:

 

Output:

eth0                                                         < Interface
 ip 10.1.1.251                                          < IP
 ip 10.1.1.252   

 mask    255.255.255.0                           < Netmask        

 spoofing networks: 
     10.0.0.0, 10.255.255.255                   < spoofing networks
     192.168.1.0, 192.168.1.255

eth2
 ip  1.1.1.211
 ip  1.1.1.212

 mask    255.255.255.0

 spoofing networks:  
     0.0.0.0, 9.255.255.255
     11.0.0.0, 126.255.255.255
     128.0.0.0, 192.168.41.255
     192.168.220.0, 223.255.255.255
     192.168.4.0, 192.168.8.255
     240.0.0.0, 255.255.255.254

eth3
 ip  192.168.2.131
 ip  192.168.2.132

 mask    255.255.255.0

 spoofing networks:  
     192.168.2.0, 192.168.2.255

eth5
 ip  10.172.1.102
 ip 10.172.1.103

 mask    255.255.255.0

 spoofing networks:  
     10.172.1.0, 10.172.1.255

PS:

Here two IP addresses are visible, because it is a cluster with vip.

Admin
Admin

Re: One-liner for Address Spoofing Troubleshooting

Sweet!

Does that meet your requirements Danny Jung‌?

0 Kudos

Re: One-liner for Address Spoofing Troubleshooting

Hi, Denny,

2500 points are a bit much 10 while also ok.Smiley Happy
We all like to help.

I'm going to update the CLI command a little bit this weekend. Maybe there's more you can get out of it.

I think that's very helpful. I would also like to include the routes and separate the VIP and physical IP.

Regards

Heiko

Danny
Pearl

Re: One-liner for Address Spoofing Troubleshooting

Your version contains an issue where an interface is still configured in a gateway's topology within SmartDashboard but was deleted on the GAiA OS and is therefore not shown via ifconfig. As your command relies on ifconfig this critical information is not reflected.

0 Kudos

Re: One-liner for Address Spoofing Troubleshooting

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;more $FWDIR/state/local/FW1/local.set | grep -A 8 %|grep ip| tr \a\d\r\:\(\) \ ;echo -n " mask    "  ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo " spoofing networks:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ ;echo " "'

I noticed that the bond interface was not displayed in the old version. Tested it on about 5 firewalls. Everything looks good so far.

For more infos see in this article with revisions:

Show Address Spoofing Networks via CLI  

-

Re: One-liner for Address Spoofing Troubleshooting

Command:

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n "   VIP    "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n "   IP      ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n "   Mask    "  ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo "   ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ ;echo " "'

I noticed that the vip and ip interface was not displayed in the old version.

Example:

For more infos see in this article with revisions:

Show Address Spoofing Networks via CLI  

-

Re: One-liner for Address Spoofing Troubleshooting

And the latest version:

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo -n " ANTISPOOFING ENABLED: ";more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep has_addr_info | cut -c17- | tr \) " " |sort -ng| uniq ; echo -n " DETECT=true or PREVENT=false: "; more $FWDIR/state/local/FW1/local.set |grep -A 30 "eth5" | grep monitor_only | cut -c16- | tr \) " " |sort -ng| uniq ;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ ;echo " "'

Now you can see the states off:

- ANTISPOOFING ENABLED

- DETECT=true or PREVENT=false

For more infos see in this article with revisions:

Show Address Spoofing Networks via CLI  

Now I need a break. The one-liner make me crazySmiley Happy.

Regards

Heiko

Danny
Pearl

Re: One-liner for Address Spoofing Troubleshooting

Let's talk about some improvements.

Instead of your beginning:

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo‍

I'd suggest

grep -B1 ifindex $FWDIR/state/local/FW1/local.set | sed -n '1~3p' | cut -c 4- | sort | uniq‍

instead to actually reflect the calculated topology from SmartDashboard and not the one that is configured on GAiA OS. Otherwise users will run into issues if the configured interfaces topology in SmartDashboard doesn't match the one ifconfig results.

Furthermore I'd be of help if your One-liner would would return MODE: Detect or Mode: Prevent instead of DETECT=true or PREVENT=false.

I also noticed that your One-liner is currently grepping directly for eth5. This doesn't look correct.

Re: One-liner for Address Spoofing Troubleshooting

Hello Danny,

Thanks for the 2500 points. It's a little too much for a one-liner.

I think it's a great community and we should all help each other without rewards.

I gave you back 2500 points for your great work in this article Common Check Point Commands (ccc).

And thanks to everyone who helped to find the great commands for ccc.

Best Regards

Heiko

Re: One-liner for Address Spoofing Troubleshooting

Sorry, of course a % must be used instead of eth5.

Here is the right version:

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo -n " ANTISPOOFING ENABLED:         ";more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep has_addr_info | cut -c17- | tr \) " " |sort -ng| uniq ; echo -n " DETECT=true or PREVENT=false: "; more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep monitor_only | cut -c16- | tr \) " " |sort -ng| uniq ;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ ;echo " "'

Re: One-liner for Address Spoofing Troubleshooting

I hope this will be integrated into CCC.

Danny
Pearl

Re: One-liner for Address Spoofing Troubleshooting

My original version is integrated within ccc starting from version 2.5.

Re: One-liner for Address Spoofing Troubleshooting

Hi Danny,

I think the "fw ctl zdebug drop" problem is not solvable because there is no interface mapping.

Output from "fw ctl zdebug drop":

;[cpu_1];[fw4_0];fw_log_drop_conn: Packet <dir 1, 1.1.1.2:59655 -> 2.9.2.3:53 IPP 17>, dropped by do_inbound, Reason: Address spoofing;

Regards,

Heiko

0 Kudos

Re: One-liner for Address Spoofing Troubleshooting

I'm checking on this if we could utilise some "after" event log fetch from log storage but that would be dependent on spoofing being logged actually. Smiley Sad  and it would not be that instantaneous Smiley Happy

0 Kudos

Re: One-liner for Address Spoofing Troubleshooting

Heiko Ankenbrand‌: I added to output not false/true but PREVENT/DETECT, but encountered another thing, not considered in your one-liner: VLAN Trunks (phy. IFs are also displayed and with all VLAN VIPs/Spoofing Networks)

Here the altered one-liner and a screenshot with the VLAN trunk issue:

# ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep has_addr_info | cut -c17- | tr \) " " |sort -ng| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep monitor_only | cut -c16- | tr \) " " |sort -ng| uniq` ]; then echo "PREVENT"; else echo "DETECT"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ ;echo " "'

Re: One-liner for Address Spoofing Troubleshooting

Nice!

Had after 4 hours no more nerves to improve the command Smiley Happy.

THX,

Heiko

0 Kudos

Re: One-liner for Address Spoofing Troubleshooting

Hi Norbert,

There is a smal issue in the one-liner. I had add "|grep -o false".

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep has_addr_info | cut -c17- | tr \) " " |sort -ng| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep monitor_only | cut -c16- | tr \) " " |sort -ng| uniq| grep -o false` ]; then echo "PREVENT"; else echo "DETECT"; fi; echo -en " ANTISPOOFING TOPO:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep external | cut -c12- | tr \) " " |sort -ng| uniq| grep -o true` ]; then echo "External"; else echo "Internal"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ ;echo " "'

I also added the interface topology setting.

I think this is the longest one-liner in the forum .

For more infos see in this article with revisions:

Show Address Spoofing Networks via CLI  

THX,

Heiko

Re: One-liner for Address Spoofing Troubleshooting

We can also add more fields.


:ifindex (3)
:span_port_interface (false)
:has_dir_scan_info (true)
:dir_scan_table (dir_scan_addrs_list4)
:has_addr_info (true)
:addr_table (valid_addrs_list4)
:mgmt_if_id (4)
:activate_mc_enforce (0)
:positive_mc_list (0)
:mc_log (0)
:overlap_nat (false)
:overlap_nat_src_addr ()
:overlap_nat_dst_addr ()
:overlap_nat_netmask (255.255.255.0)
:spooftrack (log)
:monitor_only (false)
:external (true)
:internal_type (undefined)
:access (undefined)
:dmz (false)
:mss_value (0)

I think "spooftrack" is intresting.

Or routing information of the interface

--> netstat -rn | grep <interface>

Do you want other fields?

Regards,

Heiko

0 Kudos
Dan_Roddy
Copper

Re: One-liner for Address Spoofing Troubleshooting

Wow, where can I buy a copy of 'All Checkpoint Onliner Bash Commands' by: holder-of-the-keys, for $99.95?