Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 2 subscribers
  • Views 423 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

425 new install 7.504 problems routing

derbaron
Hi!

With all ids on i got many of this:

What rule is it?

2010:03:16-18:09:40 astaro-ext1-1 ulogd[29574]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth0" outitf="eth1" dstmac="00:1a:8c:f0[:D]5:c0" srcmac="00:13:21:78:b3:e1" srcip="x" dstip="x" proto="6" length="41" tos="0x00" prec="0x00" ttl="126" srcport="41769" dstport="80" tcpflags="ACK" 
2010:03:16-18:09:40 astaro-ext1-1 ulogd[29574]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth0" outitf="eth1" dstmac="00:1a:8c:f0[:D]5:c0" srcmac="00:13:21:78:b3:e1" srcip="x" dstip="x" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="42012" dstport="80" tcpflags="SYN" 



thanks!


This thread was automatically locked due to age.
  • 0
    Could you change the "x" entries to "Internal-IP" and/or "Public-IP" and/or "External (Address)" so that we can see what's happening?

    What do you see in the 'Intrusion Prevention' log at the same time?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    dstip is internal public routable
    srcip is external public routable (customer)

    you are asking for the intrusion log so am i right this is the log for the firewall rules.. and has nothing to do with ips?
  • 0
    Beginning in V7.500, there's a newer IPS engine with a larger ruleset.  During the beta, we saw a similar problem in the Packet Filter log and the solution was to disable one of the IPS rules.

    One more question: "dstip is internal public routable" means the IP of 'Internal (Address)', or another IP in 'Internal (Network)'?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    yes correct

    its another public routable (not private) ip in the dmz
  • 0
    So, your DMZ is populated solely with public IPs, masquerading is not set for it, you have a public IP for 'DMZ (Address)' that is different from the IP of the webserver and the netmask on the DMZ Interface is correct. If that's the case, then do you have a packet filter rule as follows?

    Internet -> HTTP -> DMZ (Network) : Allow


    I think the Astaro creates the necessary routing table entries, so I don't think you have to define anything.  You can check that in 'Support >> Advanced' 'Routes Table'.

    Normally, we put private addresses in the DMZ, create 'Additional Addresses' with the public IPs on the External interface and then DNAT incoming traffic from the public to the private IPs.  If you already have a lot of public IPs in your DMZ, I can understand how doing that might be too much to change.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    thanks

    this rule is obvioulsy there
    its a customers system so we cannot change that architecture there.
    i will check this when i am next time there and disable the IPS. this was not possible first time we migrated (no time) .. so we moved back to the old system (Novell SEC A V 6.3)
Cookie Information Banner