Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 3 subscribers
  • Views 8608 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why dropped packets?

Jeff x

I am running a streaming server on a node, on the LAN. I want to allow access to it from the Internet. I added a DNAT to forward the specific port it uses to the local IP of the node that the streaming server is running on. I unticked the box for it to automatically create a firewall rule so I could create my own. It seems to be working but I see a lot of dropped packets for the port I have specified in the DNAT and Firewall rules. However, the dropped packets reference the public IP address, not the private address that I specified in the rules.

Web protection is disabled but the WAF is enabled. Only ports 80 and 443 are used in the WAF.

Below are my rules:

DNAT:
Traffic from: ANY
Using service: TCP port 6020
Going to: External WAN address (7.7.7.7, fictitious)
Change the destination to: 192.168.0.2 (Local IP of node running the streaming server)

Firewall rule #1:
Internal (Network) using port 6020 to ANY

Firewall rule #2:
ANY using port 6020 to 192.168.0.2

The dropped packets in the Firewall log are as follows:

10:07:45 Default DROP TCP 5.5.5.5:6223 -> 7.7.7.7:6020

5.5.5.5 being the fictiious public IP of my mobile phone and 7.7.7.7 being the fictitious public IP of my gateway.

Why are these packets being dropped? I'm having streaming issues but I do not know if it's related to these dropped packets or the streaming server and/or app.

Didn't see anything in the IPS log.



This thread was automatically locked due to age.
Parents
  • 0

    10:07:45 Default DROP TCP 5.5.5.5:6223 -> 7.7.7.7:6020

    Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to this one.

    Cheers - Bob

  • 0 in reply to BAlfson

    "5.5.5.5 being the fictitious public IP of my mobile phone and 7.7.7.7 being the fictitious public IP of my gateway."

    Most of the lines in the firewall log reference the public IP that I have assigned to one of the external interfaces of the Sophos UTM (7.7.7.7). Below is a line from the log:

    ...
    /var/log/packetfilter/2016/08/packetfilter-2016-08-25.log.gz:2016:08:25-13:18:44 gateway ulogd[13464]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="b7:9f:c9:7a:53:23" dstmac="a3:ba:db:e8:fd:75" srcip="5.5.5.5" dstip="7.7.7.7" proto="6" length="40" tos="0x00" prec="0x20" ttl="48" srcport="8040" dstport="6020" tcpflags="RST"
    ...

    A very small portion of the log entries references the private IP of the node running the streaming server (192.168.0.2). Below is a line from the log:

    ...
    /var/log/packetfilter/2016/08/packetfilter-2016-08-25.log.gz:2016:08:25-13:10:59 gateway ulogd[13464]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="00:50:56:ba:b5:7c" dstmac="a4:ba:db:e8:cd:77" srcip="192.168.0.2" dstip="5.5.5.5" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="6020" dstport="20260" tcpflags="ACK RST"
    ...

    Any ideas?

  • 0 in reply to Jeff x

    You can ignore those entries. RST and ACK RST are not an indication of any problem. It's just TCP being chatty.

    Cheers - Bob

Reply Children
No Data