Strange logs…
-
There's a thing I can't understand. I have rules to only allow traffic on ports 80,443 from lan to wan. Still, I have a lot of entries on the firewall log like those on the attached image. And I can't block them. Why are they passing thru the firewall?
Specs:
Version 1.2.3-RELEASE
built on Sun Dec 6 23:38:21 EST 2009
FreeBSD 7.2-RELEASE-p5 i386
Platform pfSense
CPU Type Intel(R) Pentium(R) 4 CPU 2.00GHzpackages:
Dashboard
OpenVPN Status 1.5
States Summary 0.5
imspector 0.8-9
phpSysInfo 2.5.4
rate 0.9
snort 2.8.5.3 pkg v. 1.24
vnstat 1.6.3
-
Have you checked what those remote addresses are? They are most likely ftp servers and the entries in the log are from the ftp helper that automatically opens ports for active mode ftp.
-
75.126.208.35-static.reverse.softlayer.com -> reversed dns.
But the lan machine is not doing ftp. Probable infection?
-
127.0.0.1:8021 <- 75.126.208.35:21 <- 192.168.25.44:1159
this was in the states table. So, you're probably right. But, again, the computer is not doing ftp. hummm…..
-
Virus scanner doing database update checks with ftp?
-
It could be. I'll check it out. I've disabled ftp-user proxy and the lgos are gone. Don't have need for ftp from lan.