Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 22258 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Default drop on port 8000 (online radio)

Unique798

Hi!

i am getting troubles on port 8000. How to open it for this ip 93.103.13.156 to listen an online radio. I am getting default drop.

Here is the firewall log.

Default DROP TCP  
192.168.2.4 : 20860
93.103.13.156 : 8000
[SYN] len=60 ttl=60 tos=0x00 srcmac=b0:5a:da:cb:1f:d2 dstmac=00:1c:c0:fe:6b:6c

Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post the line corresponding to the one above.  Also, confirm that your configuration doesn't violate #3 or #4 in Rulz.


    Cheers - Bob

  • 0 in reply to BAlfson

    Here is some of the full firewall log. Hope it helps to determine the cause.

    2016:02:16-18:58:23 kll ulogd[8921]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="ppp0" srcmac="b0:5a:da:cb:1f:d2" dstmac="00:1c:c0:fe:6b:6c" srcip="192.168.2.4" dstip="93.103.13.156" proto="6" length="60" tos="0x00" prec="0x00" ttl="60" srcport="19061" dstport="8000" tcpflags="SYN"

  • 0 in reply to Unique798

    fwrule="60002"

    This means that there's no firewall rule allowing this port out, so you need something like 'Internal (Network) -> {1:65535->8000} -> Internet : Allow'.

    Cheers - Bob
    PS We only needed the one line, so I erased the others.

  • 0 in reply to BAlfson
    I have the following rule for allowing port 8000. But remember my network knowledge is limited.

    No group, position 3, internal network 192.168.2.0/24, services TCP, destination port 8000,source port 1:65535, allow. Destination is external network. My only internet connection is mobile broadband modem (4G modem). Is this rule ok? Still getting dafault drop.

    Thanks for your help.
  • 0 in reply to Unique798
    I've corrected my post above by adding "Internet" to the traffic selector. Your destination was incorrect.

    Cheers - Bob
  • 0 in reply to BAlfson
    I choose internet ipv4 for destination. No more default drop. Here is the live log.
    08:04:57 Packet filter rule #3 TCP
    192.168.2.1 : 18126

    93.103.13.156 : 8000

    [SYN] len=60 ttl=60 tos=0x00 srcmac=b0:5a:da:cb:1f:d2 dstmac=00:1c:c0:fe:6b:6c

    And the line from full firewall log.

    2016:02:20-08:04:52 kll ulogd[4572]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="3" initf="eth0" outitf="ppp0" srcmac="b0:5a:da:cb:1f:d2" dstmac="00:1c:c0:fe:6b:6c" srcip="192.168.2.1" dstip="93.103.13.156" proto="6" length="60" tos="0x00" prec="0x00" ttl="60" srcport="18125" dstport="8000" tcpflags="SYN"
Reply
  • 0 in reply to BAlfson
    I choose internet ipv4 for destination. No more default drop. Here is the live log.
    08:04:57 Packet filter rule #3 TCP
    192.168.2.1 : 18126

    93.103.13.156 : 8000

    [SYN] len=60 ttl=60 tos=0x00 srcmac=b0:5a:da:cb:1f:d2 dstmac=00:1c:c0:fe:6b:6c

    And the line from full firewall log.

    2016:02:20-08:04:52 kll ulogd[4572]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="3" initf="eth0" outitf="ppp0" srcmac="b0:5a:da:cb:1f:d2" dstmac="00:1c:c0:fe:6b:6c" srcip="192.168.2.1" dstip="93.103.13.156" proto="6" length="60" tos="0x00" prec="0x00" ttl="60" srcport="18125" dstport="8000" tcpflags="SYN"
Children
  • 0 in reply to Unique798
    Still not working. The error in VLC player is your input can't be opened:
    VLC is unable to open the MRL 'http://93.103.13.156:8000/'. Check the log for details.
  • 0 in reply to Unique798
    Well, if VLC has it's own logs what do they say? Maybe they'll be verbose enough to give you an indicator on what it's trying to do. Take a pcap on your client and see what traffic doesn't look right.
  • 0 in reply to itsfruity
    I tried to connect this pc to a home router and VLC player is playing without problems.
    Here are the logs from VLC player connected on Sophos UTM dedicated pc.
    Your input can't be opened:
    VLC is unable to open the MRL 'http://93.103.13.156:8000/'. Check the log for details.

    Verbosity 0

    http error: cannot connect to 93.103.13.156:8000
    access_mms error: cannot connect to 93.103.13.156:8000
    core error: open of `http://93.103.13.156:8000/' failed

    Verbosity 1

    core warning: connection timed out
    http error: cannot connect to 93.103.13.156:8000

    Verbosity 2

    core debug: processing request item: (Radio Ekspres), node: Playlist, skip: 0
    core debug: resyncing on (Radio Ekspres)
    core debug: (Radio Ekspres) is at 0
    core debug: starting playback of the new playlist item
    core debug: resyncing on (Radio Ekspres)
    core debug: (Radio Ekspres) is at 0
    core debug: creating new input thread
    core debug: Creating an input for '(Radio Ekspres)'
    core debug: requesting art for (Radio Ekspres)
    core debug: using timeshift granularity of 50 MiB, in path '/tmp'
    core debug: `http://93.103.13.156:8000/' gives access `http' demux `' path `93.103.13.156:8000/'
    core debug: specified demux `any'
    core debug: creating demux: access='http' demux='any' location='93.103.13.156:8000/' file='(null)'
    core debug: looking for access_demux module matching "http": 11 candidates
    core debug: no access_demux modules matched
    core debug: creating access 'http' location='93.103.13.156:8000/', path='(null)'
    core debug: looking for access module matching "http": 18 candidates
    http debug: querying proxy for http://93.103.13.156:8000/
    core debug: looking for meta fetcher module matching "any": 1 candidates
    http debug: no proxy
    http debug: http: server='93.103.13.156' port=8000 file='/'
    core debug: net: connecting to 93.103.13.156 port 8000
    lua debug: Trying Lua scripts in /home/kll/.local/share/vlc/lua/meta/fetcher
    lua debug: Trying Lua scripts in /usr/lib/vlc/lua/meta/fetcher
    lua debug: Trying Lua playlist script /usr/lib/vlc/lua/meta/fetcher/tvrage.luac
    lua debug: skipping script (unmatched scope) /usr/lib/vlc/lua/meta/fetcher/tvrage.luac
    lua debug: Trying Lua scripts in /usr/share/vlc/lua/meta/fetcher
    core debug: no meta fetcher modules matched
    core debug: searching art for (Radio Ekspres)
    core debug: looking for art finder module matching "any": 2 candidates
    qt4 debug: IM: Setting an input
    lua debug: Trying Lua scripts in /home/kll/.local/share/vlc/lua/meta/art
    lua debug: Trying Lua scripts in /usr/lib/vlc/lua/meta/art
    lua debug: Trying Lua playlist script /usr/lib/vlc/lua/meta/art/00_musicbrainz.luac
    lua debug: skipping script (unmatched scope) /usr/lib/vlc/lua/meta/art/00_musicbrainz.luac
    lua debug: Trying Lua playlist script /usr/lib/vlc/lua/meta/art/01_googleimage.luac
    lua debug: skipping script (unmatched scope) /usr/lib/vlc/lua/meta/art/01_googleimage.luac
    lua debug: Trying Lua playlist script /usr/lib/vlc/lua/meta/art/02_frenchtv.luac
    lua debug: skipping script (unmatched scope) /usr/lib/vlc/lua/meta/art/02_frenchtv.luac
    lua debug: Trying Lua playlist script /usr/lib/vlc/lua/meta/art/03_lastfm.luac
    lua debug: skipping script (unmatched scope) /usr/lib/vlc/lua/meta/art/03_lastfm.luac
    lua debug: Trying Lua scripts in /usr/share/vlc/lua/meta/art
    core debug: no art finder modules matched
    core debug: art not found for (Radio Ekspres)
    core warning: connection timed out
    http error: cannot connect to 93.103.13.156:8000
    core debug: net: connecting to 93.103.13.156 port 8000
    core warning: connection timed out
    access_mms error: cannot connect to 93.103.13.156:8000
    core debug: no access modules matched
    core error: open of `http://93.103.13.156:8000/' failed
    core debug: dead input
    core debug: changing item without a request (current 0/1)
    core debug: nothing to play
    qt4 debug: IM: Deleting the input

    Hope that this is useful.
  • 0 in reply to Unique798
    Does seem to be packet drop related then. So, you can't see any more drops in the Firewall log? Can you look at the IPS logs to see if any other packets are being dropped? Or, create an exception in IPS for that destination address.

    I've just tried this on my Mac (Good tunes on that station by the way, got a bit of Wham on right now) and it works via my test UTM

    Anyway, it does call HTTP as well so are you using Web Filtering? If so, create an exception under Filtering Options for that destination IP as well (May as well skip everything for this test)

    If that doesn't work, I'm pretty stumped. As a last resort, briefly open up your Firewall with a Any --> Any --> Any rule. If that then allows the station to play correctly then we can revert back to looking at the Firewall rules.
  • 0 in reply to itsfruity
    As i said before my networking knowledge is limited, but all that was needed for a VLC player to start playing this online radio was to open port 8000 and masquerading rule. Now its working!
  • 0 in reply to Unique798
    Ah okay. Yeah it was probably the masquerading rule. Normally the LAN to WAN Masq covers Any service.

    Glad you got it working.