I help out one of the labs at my university keep their network up and
pcs running. They have a webserver with some sort of vaguely sensitive
information on it, enough so that they requested money for a small
firewall for it and some of the other computers in the lab. They got a
SonicWall tele3 (I believe) and it was working well for a year or so,
but around a week ago the campus's network admin contacted us and said
that our network was broadcasting a *lot* of traffic. From my (outside
their firewall) I did a packet dump (I can supply it if needed) and the
only thing that was unusual was that the sonicwall was sending massive
amounts of ARP traffic asking who has the gateway's IP. By massive I
mean around twenty a second. Before talking to me, the lab director
unplugged each pc one by one from the firewall, but the spamming
continued ever after everything--including the webserver--had been
disconnected. After I was notified, I attempted to log into the
firewall to check its logs, but it didn't work. I scanned the firewall
with nmap and it returned that all ports were filtered, even though
access from within the network to the admin console had been turned on.
I also tried connected to the 'console' port on the sonicwall but either
I didn't know how it worked or it wasn't working properly. In addition,
it seems that pcs within the firewalled network can dhcp an address from
the subnet's gateway (which they couldn't before) and ettercap showed
that you can see all the connections on the subnet from within the
firewall. Since keeping the webserver up is the lab director's primary
goal he doesn't want me to attempt to reflash the firmware unless it's
absolutely necessary or if the firewall's been compromised. So I guess
my question is: is someone tunneling a connection from our firewall to
off-campus over ARP or has the firewall just gone a bit nutty?
