Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 7 replies
  • Subscribers 0 subscribers
  • Views 2958 views
  • Users 0 members are here
Options
Suggested

[8.980][QUESTION] Lots of dropped packages with RST as state.

sjorge
Hi All,

I've opened some ports for bittorrent: 6881:7881 to be precise.

I have a DNAT on my WAN interface for those ports on TCP/UDP that forwards them to the pc in question.
I also have an exception that will alow the PC to connect to any port on the internet if it comes from the previously mentioned range (So 2 Different Service Objects)

This seems to work fine... however a lot of packets are dropped with a RST state, It seems harmless, but it's still annoying to see your log file up.

I also notice a lot of drops of ACK PSH FIN's on ActiveSync connections.
They remain open for a very long time. This could possibly be related.

Below is a small snipet that shows one from activesync and the others from torrents.

I probably made an error somewhere, but I'm not sure were since everything seems to work. ActiveSync randomy goes broken for a few minutes until a new connection is made, this is also annoying but not to bad. 

17:16:11 	Default DROP 	TCP 	

91.121.217.18 	: 	443

	→ 	

91.176.70.98 	: 	60122

	

[ACK PSH FIN] 	len=803 	ttl=64 	tos=0x00 	srcmac=0:50:56:8:6b:a3

17:16:17 	Default DROP 	TCP 	

82.192.84.140 	: 	64628

	→ 	

188.165.142.66 	: 	7502

	

[RST] 	len=40 	ttl=57 	tos=0x00 	srcmac=ec:30:91:e0[:D]f:80 	dstmac=0:50:56:2:27:f3

17:16:19 	Default DROP 	TCP 	

46.59.99.187 	: 	51413

	→ 	

188.165.142.66 	: 	7507

	

[RST] 	len=40 	ttl=56 	tos=0x00 	srcmac=ec:30:91:e0[:D]f:80 	dstmac=0:50:56:2:27:f3

17:16:19 	Default DROP 	TCP 	

91.121.177.126 	: 	54377

	→ 	

188.165.142.66 	: 	7511

	

[RST] 	len=40 	ttl=60 	tos=0x00 	srcmac=ec:30:91:e0[:D]f:80 	dstmac=0:50:56:2:27:f3

17:16:21 	Default DROP 	TCP 	

72.211.230.125 	: 	51308

	→ 	

188.165.142.66 	: 	7508

	

[RST] 	len=40 	ttl=52 	tos=0x00 	srcmac=ec:30:91:e0[:D]f:80 	dstmac=0:50:56:2:27:f3

17:16:23 	Default DROP 	TCP 	

24.11.81.54 	: 	50010

	→ 	

188.165.142.66 	: 	7519

	

[RST] 	len=40 	ttl=51 	tos=0x00 	srcmac=ec:30:91:e0[:D]f:80 	dstmac=0:50:56:2:27:f3
Parents
  • 0
    Hi, I don't see anything specifically wrong, but a few comments:

    1. Many of the packetfilter log entries are for other services; it would be more clear if you filtered it.

    2. I'm not sure which is your IP in the log. Also, it would be wise to obfuscate part of your IP with x's.

    3. 1000 ports seems excessive. I'm not familiar with Deluge, but uTorrent and Azuerus/Vuze only need 1 port.

    Barry
Reply
  • 0
    Hi, I don't see anything specifically wrong, but a few comments:

    1. Many of the packetfilter log entries are for other services; it would be more clear if you filtered it.

    2. I'm not sure which is your IP in the log. Also, it would be wise to obfuscate part of your IP with x's.

    3. 1000 ports seems excessive. I'm not familiar with Deluge, but uTorrent and Azuerus/Vuze only need 1 port.

    Barry
Children
  • 0 in reply to BarryG

    1. Many of the packetfilter log entries are for other services; it would be more clear if you filtered it.


    Here is a cleaner sample, I replace the IP's with something more descriptive 
    2012:06:26-11:55:37 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="57" srcport="63195" dstport="7273" tcpflags="RST" 

    2012:06:26-11:55:39 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="59" srcport="60017" dstport="7275" tcpflags="RST" 

    2012:06:26-11:55:41 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="59" srcport="61302" dstport="7292" tcpflags="RST" 

    2012:06:26-11:55:41 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="51" srcport="50010" dstport="7290" tcpflags="RST" 

    2012:06:26-11:55:43 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="60" srcport="52307" dstport="7305" tcpflags="RST" 

    2012:06:26-11:55:43 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="60" srcport="52307" dstport="7299" tcpflags="RST" 

    2012:06:26-11:55:46 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="52" srcport="51412" dstport="7317" tcpflags="RST" 

    2012:06:26-11:55:46 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="57" srcport="51413" dstport="7320" tcpflags="RST" 

    2012:06:26-11:55:55 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="46" srcport="49664" dstport="7346" tcpflags="RST" 

    2012:06:26-11:56:03 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="59" srcport="57228" dstport="7375" tcpflags="RST" 

    2012:06:26-11:56:08 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="49" srcport="54059" dstport="7388" tcpflags="RST" 

    2012:06:26-11:56:11 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="51" srcport="51413" dstport="7406" tcpflags="RST" 

    2012:06:26-11:56:11 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="52" srcport="51308" dstport="7400" tcpflags="RST" 

    2012:06:26-11:56:17 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="57" srcport="64628" dstport="7423" tcpflags="RST" 

    2012:06:26-11:56:17 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="52" srcport="51413" dstport="7420" tcpflags="RST" 

    2012:06:26-11:56:32 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="61" srcport="57642" dstport="7463" tcpflags="RST" 

    2012:06:26-11:56:33 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="59" srcport="57228" dstport="7466" tcpflags="RST" 

    2012:06:26-11:56:33 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="61" srcport="51890" dstport="7468" tcpflags="RST" 

    2012:06:26-11:56:33 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="61" srcport="61398" dstport="7472" tcpflags="RST" 

    2012:06:26-11:56:36 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="61" srcport="57642" dstport="7480" tcpflags="RST" 

    2012:06:26-11:56:36 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="61" srcport="57642" dstport="7478" tcpflags="RST" 

    2012:06:26-11:56:36 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="61" srcport="57642" dstport="7482" tcpflags="RST" 



    2. I'm not sure which is your IP in the log. Also, it would be wise to obfuscate part of your IP with x's.

    See above, since this is inbound traffic you can see the destport is withing the 6881:7881 range.


    3. 1000 ports seems excessive. I'm not familiar with Deluge, but uTorrent and Azuerus/Vuze only need 1 port.

    Yeah it is a lot, but there is nothing else on that IP aside from a VPN on port 443, so I saw no harm in giving deluge whatever the default range for outgoing and ingoing connections was.
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?