Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 2 subscribers
  • Views 3287 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

External Hosts Showing As Internal Clients

InfinityPro
Hello,

I'm worried I have something misconfigured which is allowing external hosts to act as internal clients. When I go to Interfaces & Routing, under Top Source Hosts, I see several external IPs. If I click the arrow next to the pie chart which takes me to Logging & Reporting > Network Usage > Bandwidth Usage, I see ~9 external hosts. They all have sent less than 10 packets with most sending around 1 packet per host.

I've attached a screenshot, which shows the top clients report. I'm not sure where I have something misconfigured and I'm hoping you can point me in the right direction.

Since I'm familiar with shodan, here is my firewall log for the shodan ip (from the day prior): 
2014:09:26-02:05:46 SophosUTM ulogd[21329]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0" mark="0x116a" app="362" srcip="my.public.ip" dstip="198.20.69.74" proto="6" length="44" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="3667" tcpflags="ACK SYN" info="nf_ct_tcp: invalid packet ignored in state SYN_RECV "

2014:09:26-02:05:48 SophosUTM ulogd[21329]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0" mark="0x116a" app="362" srcip="my.public.ip" dstip="198.20.69.74" proto="6" length="44" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="3667" tcpflags="ACK SYN" info="nf_ct_tcp: invalid packet ignored in state SYN_RECV "

2014:09:26-02:05:53 SophosUTM ulogd[21329]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0" mark="0x116a" app="362" srcip="my.public.ip" dstip="198.20.69.74" proto="6" length="44" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="3667" tcpflags="ACK SYN" info="nf_ct_tcp: invalid packet ignored in state SYN_RECV "

2014:09:26-02:05:56 SophosUTM ulogd[21329]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0" mark="0x116a" app="362" srcip="my.public.ip" dstip="198.20.69.74" proto="6" length="60" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="53070" tcpflags="ACK SYN" info="nf_ct_tcp: invalid packet ignored in state SYN_RECV "

2014:09:26-02:05:57 SophosUTM ulogd[21329]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0" srcip="198.20.69.74" dstip="my.public.ip" proto="6" length="60" tos="0x00" prec="0x00" ttl="55" srcport="53070" dstport="443" tcpflags="SYN" info="nf_ct_tcp: invalid packet ignored in state SYN_RECV "

2014:09:26-02:06:01 SophosUTM ulogd[21329]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0" mark="0x116a" app="362" srcip="my.public.ip" dstip="198.20.69.74" proto="6" length="44" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="3667" tcpflags="ACK SYN" info="nf_ct_tcp: invalid packet ignored in state SYN_RECV "

2014:09:26-02:06:17 SophosUTM ulogd[21329]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0" mark="0x116a" app="362" srcip="my.public.ip" dstip="198.20.69.74" proto="6" length="44" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="3667" tcpflags="ACK SYN" info="nf_ct_tcp: invalid packet ignored in state SYN_RECV "


This thread was automatically locked due to age.
Parents
  • 0
    After posting this and going through my configs again, I think I found where I had a setting misconfigured. In Network Protection > NAT > Masquerading, I had a rule for External (WAN) --> External (WAN). The other day I had just configured a port I wasn't using previously and I must have selected the wrong NIC for the rule.
Reply
  • 0
    After posting this and going through my configs again, I think I found where I had a setting misconfigured. In Network Protection > NAT > Masquerading, I had a rule for External (WAN) --> External (WAN). The other day I had just configured a port I wasn't using previously and I must have selected the wrong NIC for the rule.
Children
No Data