Hi there,
Thanx in advance for helping me understand Sophos UTM firewall/packagefilter a little more.
Having kind a hard time to interpret some firewall logs on my utm 9.411-3. Maybe there is something wrong, maybe i am just not getting the concept. :-)
In the logging we see srcmac, destmac, srcip and destip. I assumed that srcmac and srcip should be hard linked to eachother, same for destination.
Destmac is often the virtual mac addres of internal nic on UTM and is not correspoding to the destip.
Now we see that srcmac is used in combination with different srcip addresses. That I do not understand.
This log entry is what i would expect.
2017:04:07-11:04:05 utm ulogd[17050]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="9" initf="eth0" outitf="eth1" srcmac="mac_of_internal_device" dstmac="mac_of_internal_utm_nic" srcip="ip_internal_device" dstip="external_webserver_ip_A" proto="6" length="44" tos="0x00" prec="0x00" ttl="254" srcport="50017" dstport="123456" tcpflags="SYN"
This is what i do not understand....
2017:04:07-11:04:08 utm ulogd[17050]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="mac_of_internal_device" dstmac="mac_of_internal_utm_nic" srcip="external_webserver_IP_B" dstip="external_webserver_ip_A" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="50017" dstport="123456" tcpflags="ACK RST"
So what we've got here is a request from the same source mac using different source ip addresses. Is this like expected behaviour and do I just not understand the concept or is this at least a little strange....
This thread was automatically locked due to age.
