Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 1029 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Should this port be opened?

Jeff x
I have noticed a lot of blocked traffic recently.
 
Example:
...
[FONT=monospace]/var/log/packetfilter.log:2013:10:01-16:32:11 gateway ulogd[4428]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="c4:39:3a:91:36:86" dstmac="0:15:17:6d:3b:7d" srcip="76.96.13.141" dstip="50.***.***.***" proto="17" length="83" tos="0x00" prec="0x40" ttl="56" srcport="53" dstport="4597" [/FONT]
...
 
The traffic is coming from these hosts:
 
[FONT=Verdana]68.87.68.165[/FONT]
[FONT=Verdana]atlt-dnssec01.s3woodstock.ga.atlanta.comcast.net[/FONT]
[FONT=Verdana]68.87.75.201[/FONT]
[FONT=Verdana]pitt-dnssec02.summitpark.pa.pitt.comcast.net[/FONT]
[FONT=Verdana]76.96.90.218[/FONT]
[FONT=Verdana]atlt-dnssec05.s3woodstock.ga.atlanta.comcast.net[/FONT]
[FONT=Verdana]76.96.90.223[/FONT]
[FONT=Verdana]atlt-dnssec06b.s3woodstock.ga.atlanta.comcast.net[/FONT]
[FONT=Verdana]76.96.13.151[/FONT]
[FONT=Verdana]pitt-dnssec03b.summitpark.pa.pitt.comcast.net[/FONT]
[FONT=Verdana]76.96.90.219[/FONT]
[FONT=Verdana]atlt-dnssec05b.s3woodstock.ga.atlanta.comcast.net[/FONT]
[FONT=Verdana]76.96.90.222[/FONT]
[FONT=Verdana]atlt-dnssec06.s3woodstock.ga.atlanta.comcast.net[/FONT]
 
 
There is a default rule to allow outbound traffic on port 53 but should I allow inbound traffic from these particular hosts?
 
I have the following DNS forwarders setup so I don't know why the hosts listed above are always attempting inbound traffic on port 53:


This thread was automatically locked due to age.
  • 0
    Hi, 
    This doesn't look like legitimate traffic; leave it blocked.

    Barry
  • 0
    I would recommend you uncheck "use forwarders assigned by ISP" since none are currently assigned. Also, I was under the impression if that is selected it overrides the entries above, maybe someone could confirm. You also mention you have a firewall rule to allow port 53 traffic out, shouldn't need any rules for dns if you are using the UTM's dns proxy as a forwarder for computers on your internal network.
  • 0 in reply to dilandau
    Hi, 
    This doesn't look like legitimate traffic; leave it blocked.
     
    Barry

    I didn't think so either but I thought I'd ask since all of the PTR records of all offending IP's contain "DNS" and they all belong to Comcast which is my ISP.
     
      
     
    I would recommend you uncheck "use forwarders assigned by ISP" since none are currently assigned. Also, I was under the impression if that is selected it overrides the entries above, maybe someone could confirm. You also mention you have a firewall rule to allow port 53 traffic out, shouldn't need any rules for dns if you are using the UTM's dns proxy as a forwarder for computers on your internal network.

    I will uncheck that. The firewall rule that allows port 53 traffic out was created by the Sophos installer so I did not think it should be deleted.