Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 2710 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

default drop on a public address

davide_pala
Hi guy.
this is an optimal troubleshooting exercise ... on an UTM i've set up a dnat for the https service and it work fine. 
Now, when i open the live log found many internet connection dropped for the service on port 443 ... i've no idea becase i found those entry ...


This thread was automatically locked due to age.
  • 0
    This are RST packets received after the UTM believed the connection was closed.  Unless you're having a problem, just ignore these.  If you want to continue this thread, please edit your post and replace the picture of the Firewall Live Log with a line from the full Firewall log file, not the Live Log.

    Cheers - Bob
  • 0 in reply to BAlfson
    This are RST packets received after the UTM believed the connection was closed.  Unless you're having a problem, just ignore these.  If you want to continue this thread, please edit your post and replace the picture of the Firewall Live Log with a line from the full Firewall log file, not the Live Log.

    Cheers - Bob


    Tnx BAlfson ... this is my firewall log. Now the question is why an RST packet is dropped? RST is a FLAG in a valid TCP packet ....

    2014:10:30-00:00:05 SG310-1 ulogd[13264]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth5" outitf="eth1" srcmac="4:f9:38:b4:14:6b" dstmac="0:1a:8c:f0:94:65" srcip="10.10.253.45" dstip="37.119.51.35" proto="6" length="40" tos="0x00" prec="0x00" ttl="126" srcport="143" dstport="52585" tcpflags="RST" 
    2014:10:30-00:00:05 SG310-1 ulogd[13264]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="2c:36:f8:2c[:D]:c9" dstmac="0:1a:8c:f0:94:61" srcip="37.119.51.35" dstip="2.***.55.219" proto="6" length="52" tos="0x00" prec="0x00" ttl="49" srcport="53012" dstport="143" tcpflags="ACK FIN" 
    2014:10:30-00:00:08 SG310-1 ulogd[13264]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="2c:36:f8:2c[:D]:c9" dstmac="0:1a:8c:f0:94:61" srcip="95.235.78.166" dstip="2.***.xx.219" proto="6" length="40" tos="0x00" prec="0x00" ttl="55" srcport="52088" dstport="143" tcpflags="RST" 
    2014:10:30-00:00:08 SG310-1 ulogd[13264]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="2c:36:f8:2c[:D]:c9" dstmac="0:1a:8c:f0:94:61" srcip="95.235.78.166" dstip="2.***.xx.219" proto="6" length="40" tos="0x00" prec="0x00" ttl="55" srcport="52093" dstport="143" tcpflags="RST" 
    2014:10:30-00:00:08 SG310-1 ulogd[13264]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="2c:36:f8:2c[:D]:c9" dstmac="0:1a:8c:f0:94:61" srcip="95.235.78.166" dstip="2.***.xx.219" proto="6" length="40" tos="0x00" prec="0x00" ttl="55" srcport="52091" dstport="143" tcpflags="RST" 
    2014:10:30-00:00:08 SG310-1 ulogd[13264]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="2c:36:f8:2c[:D]:c9" dstmac="0:1a:8c:f0:94:61" srcip="37.119.207.72" dstip="2.***.xx.219" proto="6" length="40" tos="0x00" prec="0x00" ttl="52" srcport="1443" dstport="443" tcpflags="RST" 
    2014:10:30-00:00:12 SG310-1 ulogd[13264]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="2c:36:f8:2c[:D]:c9" dstmac="0:1a:8c:f0:94:61" srcip="151.24.248.16" dstip="2.***.xx.212" proto="6" length="40" tos="0x00" prec="0x00" ttl="119" srcport="51212" dstport="443" tcpflags="ACK RST" 
    2014:10:30-00:00:14 SG310-1 ulogd[13264]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth5" outitf="eth1" srcmac="4:f9:38:b4:14:6b" dstmac="0:1a:8c:f0:94:65" srcip="10.10.253.44" dstip="62.48.53.90" proto="17" length="76" tos="0x00" prec="0x00" ttl="62" srcport="123" dstport="123" 
    2014:10:30-00:00:14 SG310-1 ulogd[13264]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="2c:36:f8:2c[:D]:c9" dstmac="0:1a:8c:f0:94:61" srcip="87.3.221.208" dstip="2.***.xx.219" proto="6" length="40" tos="0x00" prec="0x00" ttl="55" srcport="35999" dstport="443" tcpflags="RST" 
    2014:10:30-00:00:15 SG310-1 ulogd[13264]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="2c:36:f8:2c[:D]:c9" dstmac="0:1a:8c:f0:94:61" srcip="151.24.248.16" dstip="2.228.55.212" proto="6" length="40" tos="0x00" prec="0x00" ttl="119" srcport="51276" dstport="443" tcpflags="ACK RST" 
    2014:10:30-00:00:20 SG310-1 ulogd[13264]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="2c:36:f8:2c[:D]:c9" dstmac="0:1a:8c:f0:94:61" srcip="218.77.79.43" dstip="2.***.xx.214" proto="6" length="40" tos="0x00" prec="0x00" ttl="239" srcport="37424" dstport="443" tcpflags="SYN"
  • 0
    This is a "stateful" firewall that uses a connection tracker.  If the connection tracker believes that a connection has been terminated, it will drop new packets related to that connection.  If you are getting complaints from the users, then there are some things to look at, but all of that looks good to me.

    Cheers - Bob
  • 0
    Hi,

    There's several long threads about this; you can find one at
    https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/39325

    There's instructions in there for creating a rule to exclude them from the log, if desired.
    However, if they're not flooding your logs, just ignore them.

    Barry
  • 0
    ok, tnx for this answer ... i've already created this rule but i don't understand why the clients (many mobile device) generate this RST ... sory it's only a my personal interes ...