This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Weird Firewall Activity..

I am seeing some weird firewall activity lately that I cant understand... Not sure if I am missing something...:

2014:07:12-07:40:30 gateway ulogd[18872]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="198.23.53.106" dstip="(Destination Protected).201" proto="6" length="40" tos="0x02" prec="0x00" ttl="19" srcport="240" dstport="80" tcpflags="SYN" 

2014:07:12-07:40:31 gateway ulogd[18872]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="1" initf="ppp0" outitf="eth1" srcmac="0:c:29:b7:95:98" srcip="68.178.130.235" dstip="192.168.25.3" proto="6" length="44" tos="0x00" prec="0x00" ttl="18" srcport="64" dstport="80" tcpflags="SYN" 

2014:07:12-07:40:34 gateway ulogd[18872]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="23.229.195.192" dstip="(Destination Protected).201" proto="6" length="40" tos="0x02" prec="0x00" ttl="19" srcport="29872" dstport="80" tcpflags="SYN" 

2014:07:12-07:40:34 gateway ulogd[18872]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="184.154.128.42" dstip="(Destination Protected).201" proto="6" length="40" tos="0x02" prec="0x00" ttl="19" srcport="49165" dstport="80" tcpflags="SYN" 

2014:07:12-07:40:34 gateway ulogd[18872]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="6" initf="ppp0" outitf="eth1" srcmac="0:c:29:b7:95:98" srcip="(Source Protected)" dstip="192.168.25.3" proto="6" length="48" tos="0x00" prec="0x00" ttl="54" srcport="21434" dstport="80" tcpflags="SYN" 

2014:07:12-07:40:35 gateway ulogd[18872]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="6" initf="ppp0" outitf="eth1" srcmac="0:c:29:b7:95:98" srcip="(Source Protected)" dstip="192.168.25.3" proto="6" length="48" tos="0x00" prec="0x00" ttl="54" srcport="21467" dstport="80" tcpflags="SYN" 

2014:07:12-07:40:35 gateway ulogd[18872]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="6" initf="ppp0" outitf="eth1" srcmac="0:c:29:b7:95:98" srcip="(Source Protected)" dstip="192.168.25.3" proto="6" length="48" tos="0x00" prec="0x00" ttl="54" srcport="21468" dstport="80" tcpflags="SYN" 

2014:07:12-07:40:35 gateway ulogd[18872]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="6" initf="ppp0" outitf="eth1" srcmac="0:c:29:b7:95:98" srcip="(Source Protected)" dstip="192.168.25.3" proto="6" length="48" tos="0x00" prec="0x00" ttl="54" srcport="21471" dstport="80" tcpflags="SYN" 

2014:07:12-07:40:35 gateway ulogd[18872]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="6" initf="ppp0" outitf="eth1" srcmac="0:c:29:b7:95:98" srcip="(Source Protected)" dstip="192.168.25.3" proto="6" length="48" tos="0x00" prec="0x00" ttl="54" srcport="21474" dstport="80" tcpflags="SYN" 

2014:07:12-07:40:35 gateway ulogd[18872]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="168.137.100.21" dstip="(Destination Protected).206" proto="1" length="60" tos="0x00" prec="0x00" ttl="120" type="8" code="0" 

2014:07:12-07:40:36 gateway ulogd[18872]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="198.23.53.106" dstip="(Destination Protected).201" proto="6" length="40" tos="0x02" prec="0x00" ttl="19" srcport="12422" dstport="80" tcpflags="SYN" 

2014:07:12-07:40:38 gateway ulogd[18872]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="7" initf="ppp0" outitf="eth1" srcmac="0:c:29:b7:95:98" srcip="202.46.62.15" dstip="192.168.25.4" proto="6" length="60" tos="0x00" prec="0x00" ttl="44" srcport="48039" dstport="80" tcpflags="SYN" 

2014:07:12-07:40:40 gateway ulogd[18872]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="168.137.100.21" dstip="(Destination Protected).206" proto="1" length="60" tos="0x00" prec="0x00" ttl="120" type="8" code="0" 

2014:07:12-07:40:40 gateway ulogd[18872]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="23.229.195.192" dstip="(Destination Protected).201" proto="6" length="40" tos="0x02" prec="0x00" ttl="19" srcport="8396" dstport="80" tcpflags="SYN" 

2014:07:12-07:40:40 gateway ulogd[18872]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="184.154.128.42" dstip="(Destination Protected).201" proto="6" length="40" tos="0x02" prec="0x00" ttl="19" srcport="32984" dstport="80" tcpflags="SYN" 

2014:07:12-07:40:43 gateway ulogd[18872]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="198.23.53.106" dstip="(Destination Protected).201" proto="6" length="40" tos="0x02" prec="0x00" ttl="19" srcport="228" dstport="80" tcpflags="SYN" 

2014:07:12-07:40:44 gateway ulogd[18872]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="7" initf="ppp0" outitf="eth1" srcmac="0:c:29:b7:95:98" srcip="119.63.193.194" dstip="192.168.25.4" proto="6" length="60" tos="0x00" prec="0x00" ttl="44" srcport="47865" dstport="80" tcpflags="SYN"

Please note the dropped packets via rule 60001 to port 80, i would expect a drop if it was a FIN ACK, not a SYN.. But I do notice that the TOS=0x02 on the 60001 rule dropped packets and the srcmac is missing...

2014:07:12-07:40:34 gateway ulogd[18872]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="23.229.195.192" dstip="(Destination Protected).201" proto="6" length="40" tos="0x02" prec="0x00" ttl="19" srcport="29872" dstport="80" tcpflags="SYN"

It is not a normal firewall block though.

If you look at this transaction, the .201 is the NATed interface for 192.168.25.3, here is a successful transaction:

2014:07:12-07:40:34 gateway ulogd[18872]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="6" initf="ppp0" outitf="eth1" srcmac="0:c:29:b7:95:98" srcip="(Source Protected)" dstip="192.168.25.3" proto="6" length="48" tos="0x00" prec="0x00" ttl="54" srcport="21434" dstport="80" tcpflags="SYN"

Any Thoughts or anything to look at..

And don't send me to the "rules" page... LOL

This thread was automatically locked due to age.

Parents

0 BAlfson over 11 years ago

I think the reason that no one has responded is because it's not clear what you're experiencing that caused you to look in the Firewall log.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 11 years ago

I think the reason that no one has responded is because it's not clear what you're experiencing that caused you to look in the Firewall log.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data