I re-installed the Sophos UTM Home (version 9.350-12) and found some Log entries like this one:
11:44:10 Default DROP TCP
31.13.86.37 : 443
→
10.1.0.7 : 50581
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:10 Default DROP TCP
31.13.86.8 : 443
→
10.1.0.7 : 50583
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:10 Default DROP TCP
31.13.86.37 : 443
→
10.1.0.7 : 50582
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:10 Default DROP TCP
31.13.86.8 : 443
→
10.1.0.7 : 50584
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:10 Default DROP TCP
31.13.86.37 : 443
→
10.1.0.7 : 50581
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:10 Default DROP TCP
31.13.86.8 : 443
→
10.1.0.7 : 50584
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:10 Default DROP TCP
31.13.86.8 : 443
→
10.1.0.7 : 50583
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:10 Default DROP TCP
31.13.86.37 : 443
→
10.1.0.7 : 50582
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:10 Default DROP TCP
31.13.86.37 : 443
→
10.1.0.7 : 50581
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:10 Default DROP TCP
31.13.86.8 : 443
→
10.1.0.7 : 50584
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:10 Default DROP TCP
31.13.86.8 : 443
→
10.1.0.7 : 50583
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:10 Default DROP TCP
31.13.86.37 : 443
→
10.1.0.7 : 50582
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:10 Default DROP TCP
31.13.86.37 : 443
→
10.1.0.7 : 50581
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:10 Default DROP TCP
31.13.86.8 : 443
→
10.1.0.7 : 50584
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:11 Default DROP TCP
31.13.86.8 : 443
→
10.1.0.7 : 50583
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:11 Default DROP TCP
31.13.86.37 : 443
→
10.1.0.7 : 50582
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:11 Default DROP TCP
31.13.86.37 : 443
→
10.1.0.7 : 50581
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:11 Default DROP TCP
31.13.86.8 : 443
→
10.1.0.7 : 50584
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:11 Default DROP TCP
31.13.86.8 : 443
→
10.1.0.7 : 50583
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:11 Default DROP TCP
31.13.86.37 : 443
→
10.1.0.7 : 50582
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:12 Default DROP TCP
31.13.86.37 : 443
→
10.1.0.7 : 50581
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:12 Default DROP TCP
31.13.86.8 : 443
→
10.1.0.7 : 50584
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:14 Default DROP TCP
31.13.86.8 : 443
→
10.1.0.7 : 50583
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:14 Default DROP TCP
31.13.86.37 : 443
→
10.1.0.7 : 50582
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:14 Default DROP TCP
31.13.86.37 : 443
→
10.1.0.7 : 50581
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
11:44:14 Default DROP TCP
31.13.86.8 : 443
→
10.1.0.7 : 50584
[RST] len=40 ttl=64 tos=0x00 srcmac=00:22:4d:86:fd:cb
To me this looks like push notifications or other traffic coming from sites Like "Facebook". The Device is an Apple iPhone (correctly configured as a static host on the Sophos).
I already setup a rule:
SRC: ANY
PORT: SRC 443, DST: ANY
DST: 10.1.0.7
Rule: Allow
but it doesn't seem to work.
Do you have any ideas?
Kind Regards
ZEroEnna
This thread was automatically locked due to age.
