Firewall logging is logging things that aren't supposed to be logged
-
I've got an odd issue. I've got a single firewall rule that is set to log. The rule is that when any machine not a part of a MailHosts alias tries to connect to port 25 on a non-local server, the connection is blocked and logged. I would expect then that the only entries in my firewall log would be those that are a machine connecting to a remote server on port 25.
Instead, I'm getting my logs filled with entries for a single system that is connecting via passive ftp to a remote server (one of mine), with destination ports > 50000.
The icon next to the log entry is the little green arrow, implying that the traffic is being logged but not blocked. When I click on the little arrow, it tells me "The rule that triggered this action is:" and then doesn't say anything.
Thoughts?
-
Make sure your interface isn't in promiscuous mode, this can sometimes happen when you install some packages, often traffic monitoring/analysis packages.
In the shell you can run ifconfig, check the relevant interface doesn't have "PROMISC" in the flags section.
-
The ftp proxy logs allowed connections, that is likely what you are seeing in the log.