This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

External Hosts Showing As Internal Clients

Hello,

I'm worried I have something misconfigured which is allowing external hosts to act as internal clients. When I go to Interfaces & Routing, under Top Source Hosts, I see several external IPs. If I click the arrow next to the pie chart which takes me to Logging & Reporting > Network Usage > Bandwidth Usage, I see ~9 external hosts. They all have sent less than 10 packets with most sending around 1 packet per host.

I've attached a screenshot, which shows the top clients report. I'm not sure where I have something misconfigured and I'm hoping you can point me in the right direction.

Since I'm familiar with shodan, here is my firewall log for the shodan ip (from the day prior):

2014:09:26-02:05:46 SophosUTM ulogd[21329]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0" mark="0x116a" app="362" srcip="my.public.ip" dstip="198.20.69.74" proto="6" length="44" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="3667" tcpflags="ACK SYN" info="nf_ct_tcp: invalid packet ignored in state SYN_RECV "

2014:09:26-02:05:48 SophosUTM ulogd[21329]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0" mark="0x116a" app="362" srcip="my.public.ip" dstip="198.20.69.74" proto="6" length="44" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="3667" tcpflags="ACK SYN" info="nf_ct_tcp: invalid packet ignored in state SYN_RECV "

2014:09:26-02:05:53 SophosUTM ulogd[21329]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0" mark="0x116a" app="362" srcip="my.public.ip" dstip="198.20.69.74" proto="6" length="44" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="3667" tcpflags="ACK SYN" info="nf_ct_tcp: invalid packet ignored in state SYN_RECV "

2014:09:26-02:05:56 SophosUTM ulogd[21329]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0" mark="0x116a" app="362" srcip="my.public.ip" dstip="198.20.69.74" proto="6" length="60" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="53070" tcpflags="ACK SYN" info="nf_ct_tcp: invalid packet ignored in state SYN_RECV "

2014:09:26-02:05:57 SophosUTM ulogd[21329]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0" srcip="198.20.69.74" dstip="my.public.ip" proto="6" length="60" tos="0x00" prec="0x00" ttl="55" srcport="53070" dstport="443" tcpflags="SYN" info="nf_ct_tcp: invalid packet ignored in state SYN_RECV "

2014:09:26-02:06:01 SophosUTM ulogd[21329]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0" mark="0x116a" app="362" srcip="my.public.ip" dstip="198.20.69.74" proto="6" length="44" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="3667" tcpflags="ACK SYN" info="nf_ct_tcp: invalid packet ignored in state SYN_RECV "

2014:09:26-02:06:17 SophosUTM ulogd[21329]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0" mark="0x116a" app="362" srcip="my.public.ip" dstip="198.20.69.74" proto="6" length="44" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="3667" tcpflags="ACK SYN" info="nf_ct_tcp: invalid packet ignored in state SYN_RECV "

This thread was automatically locked due to age.

0 InfinityPro over 10 years ago

After posting this and going through my configs again, I think I found where I had a setting misconfigured. In Network Protection > NAT > Masquerading, I had a rule for External (WAN) --> External (WAN). The other day I had just configured a port I wasn't using previously and I must have selected the wrong NIC for the rule.
Cancel
Vote Up 0 Vote Down

Cancel