fwrule 60023

Hi SveN,

in https://community.sophos.com/kb/en-us/115029 60023 isn’t listed. Any more hint in the log line? Maybe anything from IPS, but just a guess.

Best regards 

Alex 

Hi Alexander,

no, nothing more in the log, just:

2020:03:20-10:20:52 mail ulogd[15773]: id="2001" severity="info" sys="SecureNet" 
   sub="packetfilter" name="Packet dropped" action="drop" fwrule="60023" 
   initf="reds8" srcmac="XX:XX:XX:XX:XX:XX" dstmac="XX:XX:XX:XX:XX:XX" srcip="10.242.113.137" dstip="10.242.113.1" 
   proto="17" length="59" tos="0x00" prec="0x00" ttl="128" srcport="57830" dstport="53" 

cu SveN

Hey SveN,

so I see it’s UDP and Port 53, so DNS. As destination IP is 10.242.113.1 It’s in your net. Is UTM provide DNS on that Address? If not that may be blocked. Maybe 60023 is blocked DNS requests???
But maybe someone knows more about that.

Best regards 

Alex 

Hello Alex,

thanks, yes it is DNS, yes it is internal IP comming from a RED Device,
the DNS-Server allows connections from that IP-Net (RED Device)
but somehow it got blocked and I would like to know what is
causing this...

cu SveN

Hello Alex,

thanks, yes it is DNS, yes it is internal IP comming from a RED Device,
the DNS-Server allows connections from that IP-Net (RED Device)
but somehow it got blocked and I would like to know what is
causing this...

cu SveN

Does the blocking occurs if you turn IPS off? A firewall rule for allowing this traffic is in place?

Hi Alex,

this IP got blocked "suddenly". So there is a rule in Place.
All other clients from this subnet were able to connect.

I turned IPS off, but no luck, IP got still blocked.
I do not know if turning IPS off is immediately resetting
all its filters... So it might be IPS...

I would expect to find this somehwere in the documentation,
since it would make live much easier. Also I a missing how
to disable this rule immediately, because it caused a lot of trouble...

cu SveN