Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 2 subscribers
  • Views 3549 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

packets slipping past explicit PF rule?

BAlfson 
07:29:56 Default DROP TCP 222.93.240.134 : 4118 → [Our Public IP] : 80 [SYN] len=48 ttl=116 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:08:02:a4:99:5f


I have a group "Chinese Hackers" that includes 222.93.240.0/22 and a PF rule 'Chinese Hackers → Any → Any : Drop'.

99% of such packets are indeed dropped by my rule.  Any thoughts about how the packet above could have slithered past my PF rule before being default dropped?

Cheers - Bob


This thread was automatically locked due to age.
  • 0
    I wonder why the source mac is 00:00:00:00:00:00.

    Barry
  • 0 
    07:29:56 Default DROP TCP 222.93.240.134 : 4118 → [Our Public IP] : 80 [SYN] len=48 ttl=116 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:08:02:a4:99:5f


    Cheers - Bob


    Bob, the log line you submitted, from where is it? it doesn´t seem to be from a log inside the ASG. Is it created by a different host in your network? where is this host located?
  • 0
    This was in the packet filter live log earlier today.  Here's the line from the PF log: 
    2009:10:09-07:29:56 post ulogd[3079]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="eth1" outitf="unknown" dstmac="00:08:02:a4:99:5f" srcmac="00:00:00:00:00:00" srcip="222.93.240.134" dstip="[Our Public IP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="116" srcport="4118" dstport="80" tcpflags="SYN"

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Bob, can you make some detasiled screenshoots of the PF rule which you think should match before?
  • 0
    Here you go!

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Here you go!

    Cheers - Bob



    The pf rule is missing - image 3 shows the same as image 2 .

    And can you please make screenshoots of th detail view of the two network definitions. Thx
  • 0 in reply to Ölm
    Jetzt ist alles in Ordnung...

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Cheers - Bob[/QUOTE]

    Jetzt ist alles in Ordnung...

    Cheers - Bob



    Not completely :-)

    >>And can you please make screenshoots of th detail view of the two network definitions. Thx
  • 0 in reply to Ölm
    You were too quick.  I saw your request for the detail after I first made that last post.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I think it's time for me to move this over to the 7.500 beta thread as a [BUG].
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Cookie Information Banner