Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 7266 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[60003]How to fix this?

FrankBarmentlo
hey guys,

my firewall started to fill the log with "60003"-entries.. 
2013:06:11-18:36:26 UTM-Frank ulogd[5091]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" mark="0x108d" app="141" srcmac="0:c:f6[:D]:e5:72" srcip="89.202.157.201" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="49159" tcpflags="ACK PSH FIN" 

2013:06:11-18:36:26 UTM-Frank ulogd[5091]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" mark="0x108d" app="141" srcmac="0:c:f6[:D]:e5:72" srcip="89.202.157.201" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="49160" tcpflags="ACK PSH FIN" 

2013:06:11-18:36:28 UTM-Frank ulogd[5091]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" mark="0x10d3" app="211" srcmac="0:c:f6[:D]:e5:72" srcip="199.7.55.72" dstip="192.168.1.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="49166" tcpflags="ACK PSH FIN" 


in an attempt to fix, I reinstalled using the latest version(cleaning all the logs, hard drive, configurations done, and all the definitions), with no function active, except the firewall and "network visibility"(no rules in the application firewall though). oh, IPS is also activated.
but it keeps going on.. it's not a real big deal, if it wouldn't stop my anti-virus stop updating.

i found some old post suggesting the following things:
- set all network definitions to interface ">"
Done that, checked also the default definitions.
- recreate all NAT/SNAT/DNAT rules
there's just the default masquerading rule.

update:
it start when I turn on the web filtering(I only checked "scan with anti-virus" or something in the initial configuration wizard, could it be the Anti-Virus blocking my connection?)
out of that log, I only get this: 
2013:06:11-18:58:24 UTM-Frank httpproxy[15910]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="91.228.166.13" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xc566090" url="91.228.166.13/.../update.ver" exceptions="" error="" category="9998" reputation="neutral" categoryname="Uncategorized"

2013:06:11-18:59:13 UTM-Frank httpproxy[15910]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="91.228.166.14" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xc566690" url="um02.eset.com/.../Hardware"

2013:06:11-18:59:14 UTM-Frank httpproxy[15910]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.2" dstip="91.228.166.15" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="6848" request="0xc566c90" url="91.228.166.15/.../octet-stream" application="eset"


This thread was automatically locked due to age.
  • 0
    Hi , 

    60003 is the default packet filter rule.
    You need to check your firewall rules.

    Best regards ,

    Gilipeled

    Gil Peled.

    CEO- Expert2IT LTD.

    SOPHOS Platinum Partner.

    Gil@expert2it.co.Il.

  • 0
    what rule should I check?
    all there currently is, are  all the default rules from the wizard, and a "reject any" at the bottom
  • 0
    Frank, 

    scottj reports the same issue with 9.101-12: https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/41085

    Cheers - Bob

    PS Please remember to state your exact version when you start a thread.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    sorry for not mentioning the version, it is 9.101-12, I put in the title now(as I wanted to, but I am easily confused by lots of numbers),

    I did a little bit more reading, and after finding out it COULD've been the content filtering, 
    It is.. It is the transparent mode causing this..

    I still don't understand how this could work, can you explain that, or is it too difficult?

    kind regards,
    Frank
  • 0
    Like I said in the other thread, it's a bug.  But, since these are the final packets meant to just close out the session, it's harmless except for "littering" the Firewall log.

    If you have a paid license, please get a ticket submitted to Support so the developers can clean this up.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Cookie Information Banner