Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 2 subscribers
  • Views 16488 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Explicitly Allowed Packets Still Being Blocked!

Sambo
I've been watching my live packet filter logs and notice that there are a lot of incoming packets being blocked which are explicitly allowed via Packet Filter rules.  Do the PF rules show blocked IPS packets as well or something?  The packets in question are logged as being from the Internet to Astaro's externally facing interface address.  There is an ADSL router between Astaro and the Internet.  

I also enabled logging of allowed packets but it doesn't seem to be letting anything in!  The rule is:

Source: Internet (also tried 'Any')
Service: App service definition
Destination: Internal App Server IP
No other restrictions

There are also no explicit blocking PF rules configured.

How can I determine what is blocking these packets?  The IPS live logs and stats show no packets blocked (although enabling all attack pattern rules definitely affects traffic flow!).

Does anyone have any ideas what might be going on here?


This thread was automatically locked due to age.
  • 0
    Ah, yes, much more detail there!

    2010:06:07-15:55:28 PhatWall ulogd[3141]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="60021" seq="0" initf="eth0" dstmac="00:48:54:12:fe:a4" srcmac="00:90[:D]0:74:e1:ea" srcip="79.41.218.42" dstip="(Astaro Ext IP)" proto="17" length="131" tos="0x00" prec="0x00" ttl="107" srcport="12531" dstport="51515" 
    2010:06:07-15:55:29 PhatWall ulogd[3141]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="60021" seq="0" initf="eth0" dstmac="00:48:54:12:fe:a4" srcmac="00:90[:D]0:74:e1:ea" srcip="90.225.98.119" dstip="(Astaro Ext IP)" proto="17" length="58" tos="0x00" prec="0x00" ttl="114" srcport="64530" dstport="51515" 
    2010:06:07-15:55:30 PhatWall ulogd[3141]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="eth0" dstmac="00:48:54:12:fe:a4" srcmac="00:90[:D]0:74:e1:ea" srcip="61.6.236.242" dstip="(Astaro Ext IP)" proto="6" length="108" tos="0x00" prec="0x00" ttl="45" srcport="55215" dstport="51515" tcpflags="ACK PSH FIN" 
    2010:06:07-15:55:30 PhatWall ulogd[3141]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="60021" seq="0" initf="eth0" dstmac="00:48:54:12:fe:a4" srcmac="00:90[:D]0:74:e1:ea" srcip="87.194.102.59" dstip="(Astaro Ext IP)" proto="6" length="64" tos="0x00" prec="0x00" ttl="49" srcport="62130" dstport="51515" tcpflags="SYN" 
    2010:06:07-15:55:31 PhatWall ulogd[3141]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="60021" seq="0" initf="eth0" dstmac="00:48:54:12:fe:a4" srcmac="00:90[:D]0:74:e1:ea" srcip="114.168.123.218" dstip="(Astaro Ext IP)" proto="6" length="48" tos="0x00" prec="0x00" ttl="104" srcport="39136" dstport="51515" tcpflags="SYN"
    ...
    2010:06:07-15:55:54 PhatWall ulogd[3141]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="eth0" dstmac="00:48:54:12:fe:a4" srcmac="00:90[:D]0:74:e1:ea" srcip="115.113.212.16" dstip="(Astaro Ext IP)" proto="17" length="131" tos="0x00" prec="0x00" ttl="107" srcport="1700" dstport="51515" 
    ...
    2010:06:07-15:56:34 PhatWall ulogd[3141]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="eth0" dstmac="00:48:54:12:fe:a4" srcmac="00:90[:D]0:74:e1:ea" srcip="61.6.236.242" dstip="(Astaro Ext IP)" proto="6" length="108" tos="0x00" prec="0x00" ttl="45" srcport="55215" dstport="51515" tcpflags="ACK PSH FIN" 


    Not quite sure how to determine which FW rule is 60001 however...
  • 0
    fwrule="60001" means that the packet has arrived "uninvited" to the INPUT chain; it is being "default dropped" because there's no explicit packet filter rule allowing it.

    Since the Astaro is a "stateful" firewall, it will accept packets that it has requested. Normally, you only need to allow outbound traffic, and the requested responses will be allowed.  There are some protocols that require opening inbound ports; I'm not that familiar with bittorrent, so maybe someone else can chime in about it.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    BitTorrent works best if you DNAT the incoming traffic to the PC running BT. (and a packetfilter rule)

    Some BT clients need multiple incoming ports, but modern ones like Vuze only need one.

    Barry
  • 0
    Yeah, I am DNATing it plus have 'auto create pf rule' ticked.  Also, I expect that due to the nature of BitTorrent that I will be receiving 'uninvited' communications as such, however you may be talking about something different here...  Also, I'm running uTorrent.
  • 0
    Well, there will always be SOME packets dropped as they may be from expired sessions, etc.

    If BT is working fine, don't worry about it.

    Barry
  • 0
    Yeah, fair enough.  TBH there were a heap more previously but now they seemed to have calmed down considerably.  Thanks for your help guys, much appreciated! [:)]
Cookie Information Banner