Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 19 replies
  • Subscribers 2 subscribers
  • Views 19706 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Logging

scottj_01
All-

I am seeing in the firewall log since the upgrade to version 9.101-12 an enormous number of dropped entries for firewall rule 6003, tcpflags="ACK PSH FIN". They appear from an number of sources. One of the source sites is this one. I created a firewall rule any>WebGroup>drop and placed it right after websurfing. WebGroup contains http>source 1:65535> destination 80, and the same for https substuing port 80 with port 443. The log traffic box is unchecked. Can the fwrule 6003 be edited to turn off logging? My hair is now in a pile on the floor....Thanks, Jim

2013:06:08-09:52:47 Oasis ulogd[4425]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:1b:21:59:59:3d" srcip="209.123.109.176" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="1632" tcpflags="ACK PSH FIN" 
2013:06:08-09:52:48 Oasis ulogd[4425]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:1b:21:59:59:3d" srcip="209.123.109.177" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="1638" tcpflags="ACK PSH FIN" 
2013:06:08-09:52:48 Oasis ulogd[4425]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:1b:21:59:59:3d" srcip="209.123.109.177" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="1639" tcpflags="ACK PSH FIN" 
2013:06:08-09:53:06 Oasis ulogd[4425]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:1b:21:59:59:3d" srcip="85.115.22.9" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="1671" tcpflags="ACK PSH FIN" 
2013:06:08-09:53:59 Oasis ulogd[4425]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:1b:21:59:59:3d" srcip="85.115.22.9" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="1671" tcpflags="ACK PSH FIN"


This thread was automatically locked due to age.
  • 0
    Hi, Jim,

    "60003" is the default drop rule for for the (iptables) OUTPUT chain, so I'm pretty sure it can't be stopped from logging.  At no risk of disrupting "normal" connections, you could make an "HTTP-Response" service and 'Drop : Internet -> {80->1:65535} -> Internal (Network)' to get rid of the log entries, but it might be fun to figure out what's causing this.

    I don't have any certs in TCP/IP, so everyone please correct me if I'm wrong.  What's interesting about this is that conntrack accepted the packet from the responding web server, but believes that the connection with the requestor (192.168.1.2) is expired.  That could be a timeout, but my guess is that there's a glitch in the handoff from conntrack to httpproxy, and that httpproxy should have sent the packet to the requestor.

    What do you see in the Web Filtering log at the same time for one of the srcips above?

    Cheers - Bob
  • 0
    Hi Bob,


    Oddly enough addint the rule you noted did not pervent logging. Possibly I miss entered something but will verify. After a few seconds in bit the case of the firewall and web log there are a ton of entries...

    Here are the entries from the web log:

    Thanks,
    Jim

    2013:06:08-15:37:03 Oasis httpproxy[8269]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="GET" srcip="192.168.1.2" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3081" request="0xb07e210" url="i.dslr.net/grad.gif" exceptions="" error="" country="United States" reason="category" category="130" reputation="malicious" categoryname="Malicious Sites"
    2013:06:08-15:37:03 Oasis httpproxy[8269]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="GET" srcip="192.168.1.2" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3089" request="0xb16b7a0" url="i.dslr.net/gradgrey.gif" exceptions="" error="" country="United States" reason="category" category="130" reputation="malicious" categoryname="Malicious Sites"
    2013:06:08-15:37:03 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xb7960d8" url="i.dslr.net/.../fade0-c6c5c5-50-2.gif" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"
    2013:06:08-15:37:03 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3441" request="0xb7960d8" url="i.dslr.net/.../gif"
    2013:06:08-15:37:03 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3625" request="0xb7960d8" url="i.dslr.net/.../gif"
    2013:06:08-15:37:03 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xb7960d8" url="i.dslr.net/toolbox_like.png" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"
    2013:06:08-15:37:03 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xb9de7b0" url="i.dslr.net/.../grad0-a6a5a5-100-2.gif" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"
    2013:06:08-15:37:03 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xaed11c8" url="i.dslr.net/.../VOIP14.gif" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"
    2013:06:08-15:37:03 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x850ac00" url="i.dslr.net/.../feed.png" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"
    2013:06:08-15:37:03 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xb07e990" url="i.dslr.net/.../CABLE14.gif" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"
    2013:06:08-15:37:03 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xbccc820" url="i.dslr.net/.../grad0-a6a5a5-30-2.gif" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"
    2013:06:08-15:37:03 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xb215cd0" url="i.dslr.net/.../FIBER14.gif" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"
    2013:06:08-15:37:03 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xbccc0a0" url="i.dslr.net/.../bullet_blue.png" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"
    2013:06:08-15:37:06 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="192.168.1.2" dstip="72.167.239.239" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1923" request="0xb796258" url="ocsp.godaddy.com/.../ocsp-response"
  • 0
    How about the Firewall log line(s) at 15:37:03 with 209.123.109.176?

    Cheers - Bob
  • 0 in reply to BAlfson
    The last log I sent was the web proxy log. You are most likely noting:

    2013:06:08-15:37:03 Oasis httpproxy[8269]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="GET" srcip="192.168.1.2" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3089" request="0xb16b7a0" url="i.dslr.net/gradgrey.gif" exceptions="" error="" country="United States" reason="category" category="130" reputation="malicious" categoryname="Malicious Sites"

    I seem to have missed that eariler. Is this possibly related to the ACK FIN in the firelog rules?

    Thanks,
    Jim
  • 0
    That's why I wanted to see any related Firewall log line(s) from the same time. [;)]

    Cheers - Bob
  • 0 in reply to BAlfson
    Hi Bob,

     The times for the enclosed logs match up with some overlap. Here are both the firewall and web filter logs from today:

    Thansks,
    Jim

    Web Filter:

    2013:06:09-09:29:33 Oasis httpproxy[8269]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="GET" srcip="192.168.1.2" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3095" request="0xafe56a8" url="i.dslr.net/.../aj6m.js
    2013:06:09-09:29:33 Oasis httpproxy[8269]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="GET" srcip="192.168.1.2" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3099" request="0xb215e50" url="i.dslr.net/.../ct2m.js
    2013:06:09-09:29:33 Oasis httpproxy[8269]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="GET" srcip="192.168.1.2" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3093" request="0xb07d198" url="i.dslr.net/.../logo.gif" exceptions="" error="" country="United States" reason="category" category="130" reputation="malicious" categoryname="Malicious Sites"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="GET" srcip="192.168.1.2" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3095" request="0xb386ca0" url="i.dslr.net/.../aj6m.js
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7936" request="0xb07e090" url="i.dslr.net/.../gif"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3625" request="0xb07e090" url="i.dslr.net/.../gif"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="GET" srcip="192.168.1.2" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3099" request="0xc35f1c8" url="i.dslr.net/.../ct2m.js
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2411" request="0xb07e090" url="i.dslr.net/.../gif"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1033" request="0xb07e510" url="i.dslr.net/.../gif"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3606" request="0xaed1048" url="i.dslr.net/.../gif"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3467" request="0xb9e19b8" url="i.dslr.net/.../gif"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="GET" srcip="192.168.1.2" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3093" request="0xb07e090" url="i.dslr.net/.../logo.gif" exceptions="" error="" country="United States" reason="category" category="130" reputation="malicious" categoryname="Malicious Sites"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xaed1048" url="i.dslr.net/1ptrans.gif" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="GET" srcip="192.168.1.2" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3089" request="0xaed1048" url="i.dslr.net/gradgrey.gif" exceptions="" error="" country="United States" reason="category" category="130" reputation="malicious" categoryname="Malicious Sites"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xb07e510" url="i.dslr.net/.../feed.png" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xb9e19b8" url="i.dslr.net/toolbox_like.png" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="GET" srcip="192.168.1.2" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3081" request="0xb07e510" url="i.dslr.net/grad.gif" exceptions="" error="" country="United States" reason="category" category="130" reputation="malicious" categoryname="Malicious Sites"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xb7970c8" url="i.dslr.net/.../FIBER14.gif" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xb9e19b8" url="i.dslr.net/.../CABLE14.gif" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xb7970c8" url="i.dslr.net/.../bigsmile.gif" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xb9e19b8" url="i.dslr.net/.../1315000.gif" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xbcca650" url="i.dslr.net/.../grad0-a6a5a5-30-2.gif" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xbfb5008" url="i.dslr.net/.../bullet_blue.png" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xb9e1538" url="i.dslr.net/.../grad0-a6a5a5-100-2.gif" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"
    2013:06:09-09:29:34 Oasis httpproxy[8269]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="209.123.109.176" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xb9e16b8" url="i.dslr.net/.../fade0-c6c5c5-50-2.gif" exceptions="" error="" country="United States" category="177" reputation="unverified" categoryname="Content Server"

    Firewall log:

    2013:06:09-09:29:33 Oasis ulogd[4425]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:1b:21:59:59:3d" srcip="209.123.109.176" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="4697" tcpflags="ACK PSH FIN" 
    2013:06:09-09:29:34 Oasis ulogd[4425]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:1b:21:59:59:3d" srcip="209.123.109.177" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="4630" tcpflags="ACK PSH FIN" 
    2013:06:09-09:29:34 Oasis ulogd[4425]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:1b:21:59:59:3d" srcip="209.123.109.176" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="4684" tcpflags="ACK PSH FIN" 
    2013:06:09-09:29:34 Oasis ulogd[4425]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:1b:21:59:59:3d" srcip="209.123.109.176" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="4699" tcpflags="ACK PSH FIN" 
    2013:06:09-09:29:34 Oasis ulogd[4425]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:1b:21:59:59:3d" srcip="209.123.109.177" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="4704" tcpflags="ACK PSH FIN" 
    2013:06:09-09:29:34 Oasis ulogd[4425]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:1b:21:59:59:3d" srcip="209.123.109.177" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="4703" tcpflags="ACK PSH FIN" 
    2013:06:09-09:29:34 Oasis ulogd[4425]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:1b:21:59:59:3d" srcip="209.123.109.177" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="4615" tcpflags="ACK PSH FIN" 
    2013:06:09-09:29:34 Oasis ulogd[4425]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:1b:21:59:59:3d" srcip="209.123.109.176" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="4686" tcpflags="ACK PSH FIN" 
    2013:06:09-09:29:35 Oasis ulogd[4425]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:1b:21:59:59:3d" srcip="209.123.109.176" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="4687" tcpflags="ACK PSH FIN" 
    2013:06:09-09:29:35 Oasis ulogd[4425]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:1b:21:59:59:3d" srcip="209.123.109.176" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="4685" tcpflags="ACK PSH FIN" 
    2013:06:09-09:29:37 Oasis ulogd[4425]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:1b:21:59:59:3d" srcip="209.123.109.176" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="4697" tcpflags="ACK PSH FIN" 
    2013:06:09-09:29:37 Oasis ulogd[4425]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:1b:21:59:59:3d" srcip="209.123.109.176" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="4684" tcpflags="ACK PSH FIN" 
    2013:06:09-09:29:37 Oasis ulogd[4425]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:1b:21:59:59:3d" srcip="209.123.109.177" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="4622" tcpflags="ACK PSH FIN" 
    2013:06:09-09:29:38 Oasis ulogd[4425]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:1b:21:59:59:3d" srcip="209.123.109.176" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="4699" tcpflags="ACK PSH FIN"
  • 0
    Jim, outside of a bug, the only thing I can think of is that you might want to run an anti-virus scan on 192.168.1.2 to confirm that no malware got through.

    Otherwise, I haven't a clue!

    Cheers - Bob
  • 0 in reply to BAlfson
    Bob,

    192.168.1.2 is clean AV with pattern update runs daily. One other thought. Coud this have anything to do with using DNSSEC? It not available on 9.006. Also the DNS servers were changed to the level 3 DNS servers because Open DNS does not support DNSSEC based on some information from the website about 2 months ago. Is it possible this could be a bug in Astaro? However I think more likely changes that have been made in configuration since 9.006. Currently logging is disabled. Over the next weekend I will load a very limited config file and see where it takes us.

    Thanks,
    Jim
  • 0
    So, you have enabled IPv6?  I wonder what effect disabling it would have...

    Cheers - Bob
  • 0 in reply to BAlfson
    Bob,

    IP 6 is not enabled currently.

    Thanks,
    Jim