Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Subscribers 3 subscribers
  • Views 30788 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allow certain traffic

A.M. Heijboer

Hello everybody,

I would like to ask you for help. The thing is that I wan't to allow certain services. These include Dropbox and Spotify.

I've allowed Dropbox and Spotify via Application Control (Web Protection > Application Control), but I am still seeying many red lines in the Firewall live log, where you can see the service (Dropbox or Spotify) and next to that you see that the packet has been dropped.

Since I've allowed them in Application Control, how could this happen?

Well, I hope somebody can explain to me what I'm doing wrong, and can give some advice, on how I can manage to do this in the most secure and efficient way.

Thanks a lot!

P.s. yes, I have disabled the IPS rules for Skype



This thread was automatically locked due to age.
  • 0

    Hi,

    Can you please post the log lines that reflects the drops and the screenshot of the application control policy?

    Thanks 

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    Hi A.M.,

    Just to clarify you have web filtering/firewall rules in place to allow HTTP/HTTPS traffic out to the internet?

    Application control looks inside the packet at the application layer whereas the firewall is concerned with the network and transport layers. So therefore if you're not actually allowing out the initial connection then the application control will not fire because it happens after the firewall rejection.

    Easiest way to test is create a Local Network > HTTP & HTTPS > Internet IPV4 Allow Firewall Rule and see if Skype/Dropbox kicks into life. This would be better served by creating web filtering rules in transparent mode if you are actively trying to block websites but be careful as you can quite easily block Skype & dropbox there too.

    Hope that helps,

    Emile

  • 0 in reply to sachingurung

    Hi Sachin, thanks for your help!

     

    Below are the logs. I’m sorry but I think I have been a bit stupid. Now that I’m looking at it, Is it possible that these are broadcast messages that are logged?

     

    Thanks for the help.

     

    2016:10:03-18:04:21 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" mark="0x307f" app="127" srcmac="[MAC]" dstmac="[MAC]" srcip="[IP]" dstip="255.255.255.255" proto="17" length="225" tos="0x00" prec="0x00" ttl="128" srcport="17500" dstport="17500"

     

    2016:10:03-18:04:21 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" mark="0x307f" app="127" srcmac="[MAC]" dstmac="[MAC]" srcip="[IP]" dstip="255.255.255.255" proto="17" length="225" tos="0x00" prec="0x00" ttl="128" srcport="17500" dstport="17500"


    2016:10:03-18:04:21 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" mark="0x307f" app="127" srcmac="[MAC]" dstmac="[MAC]" srcip="[IP]" dstip="192.168.188.255" proto="17" length="225" tos="0x00" prec="0x00" ttl="128" srcport="17500" dstport="17500"

     

     

    (link to image https://drive.google.com/file/d/0BwoVESK-l0CheHFPYklKT0RTUDA/view?usp=sharing)

  • 0 in reply to Emile Belcourt

    Hello Emile, thank you for your help!

     

    Yes I have; the clients are allowed to use all services

    Internal (Network) > Any > Any

     

    In addition I have disabled the following rules at the Advanced tab in IPS, accordingly to https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/41225/list-of-ips-rules-with-reported-false-positives-conflicts

     

    2180 (Enable bittorrent traffic)

    2181 (Enable bittorrent traffic)

    16281 (Enable bittorrent traffic)

    16282 (Enable bittorrent traffic)

    24397 (Enable Steam traffic)

    6001 (Enable Skype traffic)

    5998 (Enable Skype traffic)

    5692 (Enable Skype traffic)

    5693 (Enable Skype traffic)

    5694 (Enable Skype traffic)

    18608 (Disables Dropbox events)

    18609 (Disables Dropbox events)

     

    But still I’ve the feeling that I did something wrong. For example, when I download some Ubuntu torrents, it dous download them, but with trouble. It is slow and has trouble connecting to seeds/peers (while there are always many, many seeds availible).

    I find this strange because I allowed it through the application manager, and on the firewall the PC is allowed to connect to the outside world on any protocol/port.

     

    In the previous situation it worked flawlessly (simple firewall) but now not anymore. I haven’t ever have to use DNat to be able to download torrents, luckely, but I have the feeling that thats diferent this time. I have the idea that Sophos sees it as a DDos or something, cause really a lot of packets get dropped.



    One other thing, it is like you have to wait until a connection gets accepted. For example, the whole time it isn’t downloading at all, and then suddenly it is downloading with 7 MB/s. It hasn’t been faster than this, while I’ve downloaded with 10 MB/s from Ubuntus servers in the past.

     

    Thank you really a lot for your time and effort!


    Attached the log from the firewall

    Fullscreen packetfilter.log Download 
    2016:10:03-18:56:25 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x203c" app="60" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="78.11.98.70" dstip="[myPublicIP]" proto="17" length="126" tos="0x00" prec="0x00" ttl="112" srcport="8025" dstport="12660" 
2016:10:03-18:56:25 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="179.216.60.30" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="119" srcport="15697" dstport="12660" 
2016:10:03-18:56:25 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="108.61.228.109" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="120" srcport="51895" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:25 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="73.147.22.18" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="118" srcport="53313" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:25 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x203c" app="60" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="45.124.145.50" dstip="[myPublicIP]" proto="17" length="131" tos="0x00" prec="0x00" ttl="116" srcport="39315" dstport="12660" 
2016:10:03-18:56:25 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="108.61.228.109" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="122" srcport="5396" dstport="12660" 
2016:10:03-18:56:25 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="91.210.105.207" dstip="[myPublicIP]" proto="6" length="60" tos="0x00" prec="0x00" ttl="56" srcport="62899" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:25 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="167.63.4.162" dstip="[myPublicIP]" proto="6" length="60" tos="0x00" prec="0x00" ttl="118" srcport="62667" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:25 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="68.39.131.71" dstip="[myPublicIP]" proto="6" length="60" tos="0x00" prec="0x00" ttl="53" srcport="24766" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:25 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="79.102.56.216" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="120" srcport="53374" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:25 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x203c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="79.102.56.216" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="120" srcport="47599" dstport="12660" 
2016:10:03-18:56:25 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x203c" app="60" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="151.213.144.26" dstip="[myPublicIP]" proto="17" length="131" tos="0x00" prec="0x00" ttl="115" srcport="59056" dstport="12660" 
2016:10:03-18:56:26 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="190.138.179.34" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="111" srcport="61185" dstport="12660" 
2016:10:03-18:56:26 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="62.211.70.61" dstip="[myPublicIP]" proto="17" length="58" tos="0x00" prec="0x00" ttl="51" srcport="51413" dstport="12660" 
2016:10:03-18:56:26 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="5.58.43.126" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="121" srcport="62690" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:26 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="109.110.155.49" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="111" srcport="12540" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:26 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="109.110.155.49" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="111" srcport="24731" dstport="12660" 
2016:10:03-18:56:26 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="93.108.146.69" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="119" srcport="8099" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:27 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="93.108.146.69" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="119" srcport="18516" dstport="12660" 
2016:10:03-18:56:27 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="118.34.163.220" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="114" srcport="53145" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:27 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="118.34.163.220" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="114" srcport="10367" dstport="12660" 
2016:10:03-18:56:27 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="82.170.50.8" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="60" srcport="53568" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:27 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="69.50.175.207" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="114" srcport="2247" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:27 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="46.18.67.93" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="120" srcport="19903" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:27 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="46.18.67.93" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="120" srcport="14964" dstport="12660" 
2016:10:03-18:56:27 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="201.211.93.29" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="118" srcport="51837" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:27 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="73.147.22.18" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="118" srcport="53313" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:28 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="201.211.93.29" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="118" srcport="55498" dstport="12660" 
2016:10:03-18:56:28 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="213.22.86.126" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="117" srcport="50193" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:28 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x203c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="1.52.124.61" dstip="[myPublicIP]" proto="17" length="132" tos="0x00" prec="0x00" ttl="113" srcport="37160" dstport="12660" 
2016:10:03-18:56:28 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="61.219.68.63" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="114" srcport="51788" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:28 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="1.52.124.61" dstip="[myPublicIP]" proto="17" length="132" tos="0x00" prec="0x00" ttl="113" srcport="37160" dstport="12660" 
2016:10:03-18:56:28 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="00:06:66:31:9f:09" dstmac="00:15:5d:bc:01:24" srcip="192.168.188.24" dstip="255.255.255.255" proto="17" length="144" tos="0x00" prec="0x00" ttl="255" srcport="80" dstport="55555" 
2016:10:03-18:56:28 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="79.102.56.216" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="120" srcport="53374" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:28 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="79.102.56.216" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="120" srcport="47599" dstport="12660" 
2016:10:03-18:56:28 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="62.211.70.61" dstip="[myPublicIP]" proto="17" length="58" tos="0x00" prec="0x00" ttl="51" srcport="51413" dstport="12660" 
2016:10:03-18:56:28 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="5.58.43.126" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="121" srcport="62690" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:29 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="182.58.105.247" dstip="[myPublicIP]" proto="17" length="131" tos="0x00" prec="0x00" ttl="118" srcport="11989" dstport="12660" 
2016:10:03-18:56:29 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="95.174.99.93" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="116" srcport="59146" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:29 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="79.103.46.226" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="122" srcport="19617" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:29 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="177.96.13.5" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="110" srcport="57178" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:29 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x203c" app="60" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="177.96.13.5" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="110" srcport="30484" dstport="12660" 
2016:10:03-18:56:30 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="69.50.175.207" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="114" srcport="2247" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:30 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="190.157.41.85" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="120" srcport="51904" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:30 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="190.157.41.85" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="120" srcport="37321" dstport="12660" 
2016:10:03-18:56:30 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="213.22.86.126" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="117" srcport="50193" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:31 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="167.63.4.162" dstip="[myPublicIP]" proto="6" length="56" tos="0x00" prec="0x00" ttl="118" srcport="62667" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:31 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="190.138.179.34" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="111" srcport="59235" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:31 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="190.138.179.34" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="111" srcport="61185" dstport="12660" 
2016:10:03-18:56:31 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="95.174.99.93" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="116" srcport="59146" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:31 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="79.103.46.226" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="122" srcport="19617" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:33 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="109.110.155.49" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="111" srcport="12540" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:33 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="177.96.13.5" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="110" srcport="57178" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:33 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="109.110.155.49" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="111" srcport="24731" dstport="12660" 
2016:10:03-18:56:33 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="177.96.13.5" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="110" srcport="30484" dstport="12660" 
2016:10:03-18:56:33 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="82.170.50.8" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="60" srcport="53568" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:33 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="91.210.105.207" dstip="[myPublicIP]" proto="6" length="60" tos="0x00" prec="0x00" ttl="56" srcport="62899" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:33 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="46.18.67.93" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="120" srcport="19903" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:34 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="73.147.22.18" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="118" srcport="53313" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:34 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="46.18.67.93" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="120" srcport="14964" dstport="12660" 
2016:10:03-18:56:34 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="190.157.41.85" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="121" srcport="51904" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:34 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="190.157.41.85" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="120" srcport="37321" dstport="12660" 
2016:10:03-18:56:34 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="79.102.56.216" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="120" srcport="53374" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:34 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="79.102.56.216" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="120" srcport="47599" dstport="12660" 
2016:10:03-18:56:34 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="62.211.70.61" dstip="[myPublicIP]" proto="6" length="60" tos="0x00" prec="0x00" ttl="51" srcport="37069" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:35 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="5.58.43.126" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="121" srcport="62690" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:35 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x203c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="177.182.113.249" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="117" srcport="13468" dstport="12660" 
2016:10:03-18:56:35 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="177.182.113.249" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="117" srcport="60354" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:35 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="94.23.40.5" dstip="[myPublicIP]" proto="6" length="52" tos="0x02" prec="0x00" ttl="122" srcport="58363" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:36 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="69.50.175.207" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="114" srcport="2247" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:36 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x203c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="78.56.131.123" dstip="[myPublicIP]" proto="17" length="131" tos="0x00" prec="0x00" ttl="123" srcport="64367" dstport="12660" 
2016:10:03-18:56:36 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x203c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="129.56.254.176" dstip="[myPublicIP]" proto="17" length="131" tos="0x00" prec="0x00" ttl="116" srcport="53885" dstport="12660" 
2016:10:03-18:56:36 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x203c" app="60" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="36.227.138.205" dstip="[myPublicIP]" proto="17" length="129" tos="0x00" prec="0x00" ttl="112" srcport="7854" dstport="12660" 
2016:10:03-18:56:36 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="213.22.86.126" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="117" srcport="50193" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:37 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="186.228.125.174" dstip="[myPublicIP]" proto="6" length="64" tos="0x00" prec="0x00" ttl="49" srcport="54777" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:37 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="186.228.125.174" dstip="[myPublicIP]" proto="17" length="58" tos="0x00" prec="0x00" ttl="49" srcport="13285" dstport="12660" 
2016:10:03-18:56:37 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="117.192.0.124" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="112" srcport="25358" dstport="12660" 
2016:10:03-18:56:37 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="117.192.0.124" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="119" srcport="52876" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:37 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="176.109.1.139" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="115" srcport="15282" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:37 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="186.137.175.161" dstip="[myPublicIP]" proto="6" length="52" tos="0x02" prec="0x00" ttl="112" srcport="64663" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:37 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="177.182.113.249" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="117" srcport="60354" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:37 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="00:06:66:31:9f:09" dstmac="00:15:5d:bc:01:24" srcip="192.168.188.24" dstip="255.255.255.255" proto="17" length="144" tos="0x00" prec="0x00" ttl="255" srcport="80" dstport="55555" 
2016:10:03-18:56:37 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="177.182.113.249" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="117" srcport="13468" dstport="12660" 
2016:10:03-18:56:37 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="95.174.99.93" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="116" srcport="59146" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:37 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="79.103.46.226" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="122" srcport="19617" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:38 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="94.23.40.5" dstip="[myPublicIP]" proto="6" length="52" tos="0x02" prec="0x00" ttl="122" srcport="58363" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:38 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="186.228.125.174" dstip="[myPublicIP]" proto="6" length="64" tos="0x00" prec="0x00" ttl="49" srcport="54777" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:38 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="177.96.13.5" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="110" srcport="57178" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:38 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="177.96.13.5" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="110" srcport="30484" dstport="12660" 
2016:10:03-18:56:38 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="169.239.209.6" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="115" srcport="63633" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:38 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x203c" app="60" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="200.6.238.149" dstip="[myPublicIP]" proto="17" length="131" tos="0x00" prec="0x00" ttl="109" srcport="17612" dstport="12660" 
2016:10:03-18:56:38 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x203c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="182.69.200.130" dstip="[myPublicIP]" proto="17" length="131" tos="0x00" prec="0x00" ttl="53" srcport="24266" dstport="12660" 
2016:10:03-18:56:39 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="186.228.125.174" dstip="[myPublicIP]" proto="6" length="64" tos="0x00" prec="0x00" ttl="49" srcport="54777" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:39 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="190.157.41.85" dstip="[myPublicIP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="120" srcport="51904" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:39 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="217.210.152.182" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="118" srcport="27300" dstport="12660" 
2016:10:03-18:56:39 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="6c:9c:ed:15:11:8d" dstmac="[myPublicMAC]" srcip="217.210.152.182" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="118" srcport="62579" dstport="12660" tcpflags="SYN" 
2016:10:03-18:56:39 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3c" app="60" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="190.157.41.85" dstip="[myPublicIP]" proto="17" length="48" tos="0x00" prec="0x00" ttl="120" srcport="37321" dstport="12660" 
2016:10:03-18:56:39 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="a2:de:48:00:01:03" dstmac="[myPublicMAC]" srcip="117.192.0.124" dstip="[myPublicIP]" proto="6" length="52" tos="0x00" prec="0x00" ttl="119" srcport="52876" dstport="12660" tcpflags="SYN"

    (link to log https://drive.google.com/file/d/0BwoVESK-l0ChZGltX1B2dF9PUW8/view?usp=sharing)

  • 0 in reply to Emile Belcourt

    Sorry, did't know that [ I P ] was becomming [IP]

  • 0 in reply to A.M. Heijboer

    Hi A.M,

    These are input default drops which are dropped via input chain in the IP tables. This chain is used to control the behavior for incoming connections. Can you capture and post the http.log. Grep dropbox and spotify to filter the log line. 

    Last but not the least, what does the policy helpdesk option in Web Protection notify for dropbox and Spotify URL(s)? Policy helpdesk tests URLs against your existing Web Filter Profiles.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    Hi, A.M., and welcome to the UTM Community!

    When obfuscating an IP, please leave enough clear so that we can see whether it's public or private and differentiate it from similar IPs involved in the issue.

    As others have said, in order for traffic to be seen by Application Control, it first must be accepted by a manual or automatic firewall rule.  See #2 in Rulz.

    Often, #1 in Rulz will point to the cause of a problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to sachingurung

    Hi Sachin,

     

    Okay, thanks. I’ve added the logs. it all seems to work OK right now, and looking at the logs it looks like the packets are getting though.

    Dropbox and Spotify are working now (just tested). I’m not sure whether is was sophos or a faulty computer what caused this.

     

    Besides this; skype is not working properly. I tested Skype on PC and it worked with no problems. But then comes this: we have a ‘Skype Phone’, like a landline phone that only receives calls on a local digital phone line (with a local number) and calls out via a Skype (Internet) line (so via a Skype phone number, via internet).

    We can still receive calls (logical, since that works even without internet), but calling to somebody else (so via Skype, via Internet) isn’t working. I find this strange, because Skype on Windows seems to have no problems at all. I will look further into this, I’m not sure if it could be a problem on the Skype/phone box side (since it stopped working when Sophos got implemented, I guess not ;-)

    Unsurprisingly bittorrent is also still not working completely perfect. Does anybody have experience with this? Do you think I need to create DNat for it to function properly, or do you think that I should do something else in order to fix it? (remember that normally DNat is supposed to not be necessary for torrents to work). Would it be possible to unlock bittorrent for specified torrent(s)? (for example: users are allowed to download Ubuntu torrents or something like that, but not to download movies and such things).

     

    In any way, I have to test it while looking at the firewall, but I’m almost there. Does anybody has a tip, for where to look (fox example in the logs)? In http.log all detected Skype traffic is allowed, but I guess it either is not even reaching the Web Scanner, or, is not recognised as Skype traffic, so I guess that's the reason I can’t find it.

     

    The policy helpdesk option says allowed for all domains (so dropbox.com, spotify.com and skype.com, both http as https)

     

    Thank you for your time (you already helped me a lot! :),

    Adriaan Heijboer



    http dropbox.log https://drive.google.com/open?id=0BwoVESK-l0Chdk9VRlE3d1hTY3c

    http spotify.log https://drive.google.com/open?id=0BwoVESK-l0ChVTJXYk15TGZrMzg

    http skype.log https://drive.google.com/open?id=0BwoVESK-l0ChVkdFc1F0U3ZybXc

    http dropbox.log

    Fullscreen http skype.log Download 
    Search "application="skype" app-id="448"" (16 hits in 1 file)
  C:\Users\Aad\Downloads\http.log (16 hits)
	Line 10674: 2016:10:05-11:43:51 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="13.107.3.128" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="17265" request="0xa1036400" url="https://b.config.skype.com/" referer="" error="" authtime="0" dnstime="15289" cattime="20295" avscantime="0" fullreqtime="61829576" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
	Line 10681: 2016:10:05-11:44:08 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.188.62" dstip="91.190.216.81" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="129" request="0xa0b17600" url="http://conn.skype.com/" referer="" error="" authtime="0" dnstime="51225" cattime="20265" avscantime="2597" fullreqtime="95285" device="0" auth="0" ua="Skype WISPr" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448" sandbox="-" content-type="text/plain"
	Line 10727: 2016:10:05-11:44:30 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="13.107.3.128" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="18581" request="0x9c0cd800" url="https://b.config.skype.com/" referer="" error="" authtime="0" dnstime="7478" cattime="188" avscantime="0" fullreqtime="59139012" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
	Line 10734: 2016:10:05-11:44:36 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.188.62" dstip="157.56.198.14" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7" request="0x9bc7e00" url="http://ui.skype.com/ui/0/7.27.0.101./nl/getlatestversion?ver=7.27.0.101&uhash=177a252a15947ea5c823d88847a18d4a3" referer="" error="" authtime="0" dnstime="41081" cattime="37619" avscantime="1923" fullreqtime="126075" device="0" auth="0" ua="Skype™‎ 7.27" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448" sandbox="-" content-type="application/octet-stream"
	Line 10739: 2016:10:05-11:44:38 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.188.62" dstip="91.190.216.81" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="129" request="0x9c15b600" url="http://conn.skype.com/" referer="" error="" authtime="0" dnstime="345" cattime="213" avscantime="2525" fullreqtime="23386" device="0" auth="0" ua="Skype WISPr" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448" sandbox="-" content-type="text/plain"
	Line 10742: 2016:10:05-11:44:39 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.188.62" dstip="91.190.216.81" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="129" request="0xa1068c00" url="http://conn.skype.com/" referer="" error="" authtime="0" dnstime="364" cattime="196" avscantime="3089" fullreqtime="24603" device="0" auth="0" ua="Skype WISPr" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448" sandbox="-" content-type="text/plain"
	Line 10743: 2016:10:05-11:44:39 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="40.127.169.165" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7597" request="0xa0c73600" url="https://registrar-rr.prod.registrar.skype.com/" referer="" error="" authtime="0" dnstime="35428" cattime="20439" avscantime="0" fullreqtime="426671" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
	Line 10901: 2016:10:05-11:45:18 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="40.122.44.96" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7176" request="0x9fdc8000" url="https://registrar-rr.prod.registrar.skype.com/" referer="" error="" authtime="0" dnstime="15759" cattime="197" avscantime="0" fullreqtime="924782" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
	Line 10928: 2016:10:05-11:45:22 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="13.107.3.128" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="19093" request="0xa7ed200" url="https://b.config.skype.com/" referer="" error="" authtime="0" dnstime="5" cattime="145" avscantime="0" fullreqtime="47400311" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
	Line 10930: 2016:10:05-11:45:22 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="91.190.218.21" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="5458" request="0x9fdc9200" url="https://uic.login.skype.com/" referer="" error="" authtime="0" dnstime="48038" cattime="20199" avscantime="0" fullreqtime="58540039" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
	Line 10932: 2016:10:05-11:45:22 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="52.174.166.107" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7533" request="0x9fd28400" url="https://api.cc.skype.com/" referer="" error="" authtime="0" dnstime="14726" cattime="19917" avscantime="0" fullreqtime="47686524" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
	Line 10933: 2016:10:05-11:45:22 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="40.122.44.96" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7214" request="0x9b07e00" url="https://etag-rr.prod.registrar.skype.com/" referer="" error="" authtime="0" dnstime="39281" cattime="20986" avscantime="0" fullreqtime="47761063" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
	Line 10935: 2016:10:05-11:45:22 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="23.43.36.49" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="6588" request="0x9fdc8600" url="https://apps.skype.com/" referer="" error="" authtime="0" dnstime="57260" cattime="20216" avscantime="0" fullreqtime="39011935" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
	Line 10937: 2016:10:05-11:45:22 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="168.63.15.132" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7646" request="0xa01ea600" url="https://trap.skype.com/" referer="" error="" authtime="0" dnstime="15859" cattime="20106" avscantime="0" fullreqtime="43257397" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
	Line 10938: 2016:10:05-11:45:22 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="137.116.195.37" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7402" request="0x9bfe9000" url="https://api.mcr.skype.com/" referer="" error="" authtime="0" dnstime="16007" cattime="20381" avscantime="0" fullreqtime="42812452" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
	Line 10939: 2016:10:05-11:45:22 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="91.190.217.143" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="15368" request="0xa95b800" url="https://api.skype.com/" referer="" error="" authtime="0" dnstime="37579" cattime="19914" avscantime="0" fullreqtime="30173197" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"

    http spotify.log

  • 0 in reply to BAlfson

    Hey Bob,

     

    Thanks for telling me that! I just realize it right now. I will obfuscate better!

     

    About rule 2, okay good suggestion, I think it is a good idea to go over that again. It starts with the connection tracker (conntrack) first, then Country Blocking (DISABLED), then DNATs (ENABLED for internal network and VPN clients. Tested and is working OK), then VPNs (DISABLED, I don’t use site-to-site VPN’s, only remote access), then Proxies (except the SMTP Proxy in Transparent mode which captures traffic forwarded by a DNAT) (DISABLED, I don’t use a proxy (except for the webfiltering feature, but i don’t think they mean that by this), then manual Routes and manual Firewall rules (ENABLED, I don’t use manual Routes, but I have a manual Firewall rule, which is INTERNAL > ANY > ANY so that should do it), which are considered only if the automatic Routes and rules coming before hadn't already handled the traffic and, finally, Applications Control (so I thought it was in application control).

     

    Maybe I can find more info in the logs? For example if it would not reach the application control, then there must be a log entry somewhere in the firewall log, where you can see the packet getting dropped, right?

     

    I’m going to look at all the logs again tomorrow (I’m so sorry but I’m on a busy schedule), I really appreciate all of you help, time and effort!!

     

    Thank you,

    Adriaan Heijboer

  • 0 in reply to A.M. Heijboer

    Hi, 

    Everything for Skype seems to be allowed in the http.log. Out of the box, what sort of ISP connection do you have on UTM, DHCP or static?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?