What does these messages mean ?
-
Hi,
I just finished setting up pfSense. I use Linux as my OS. Below is a list of connections which Linux's firewall is blocking. Question is how are these connections getting through pfSense.$ dmesg |tail [ 8690.149440] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:c7:5c SRC=91.189.94.12 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=54520 WINDOW=28960 RES=0x00 ACK URGP=0 [ 8694.149208] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:c7:5c SRC=91.189.94.12 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=54520 WINDOW=28960 RES=0x00 ACK URGP=0 [ 8698.149653] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:c7:5c SRC=91.189.94.12 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=54520 WINDOW=28960 RES=0x00 ACK URGP=0 [ 8740.085477] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:21:12 SRC=31.13.65.7 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=53196 WINDOW=27960 RES=0x00 ACK URGP=0 [ 8752.289804] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:21:12 SRC=31.13.65.7 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=53202 WINDOW=27960 RES=0x00 ACK URGP=0 [ 8756.375139] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:21:12 SRC=31.13.65.7 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=53208 WINDOW=27960 RES=0x00 ACK URGP=0 [ 8756.467028] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:21:12 SRC=31.13.65.7 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=53210 WINDOW=27960 RES=0x00 ACK URGP=0 [ 8758.866149] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:21:12 SRC=31.13.65.7 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=53212 WINDOW=27960 RES=0x00 ACK URGP=0 [ 8866.172295] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:18:f5 SRC=31.13.73.36 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=44540 WINDOW=27960 RES=0x00 ACK URGP=0 [ 9126.470648] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:6e:c3 SRC=50.16.224.82 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=60832 WINDOW=26847 RES=0x00 ACK URGP=0
-
Nobody ? :(
-
Something similar to https://askubuntu.com/questions/720455/would-active-connections-cause-this-ufw-block
-
Those are ACKs - so out of state.. So yeah any stateful firewall would block those..
You prob have an asymmetrical routing problem would be the guess off the top of my head.. What is the gateway of your linux box.. draw up your network.
-
Thanks to both for your replies.
My network :
WAN
IPv4 Configuration Type :StaticIP: 172.16.197.XXX
Subnet Mask: 255.255.255.0
GATEWAY: 172.16.197.1LAN
IPv4 Address: Static IPV4
IPV4 Address : 192.168.0.1Where is the DNS settings ? I have set it but forgot where it was
Linux box
$ ifconfig eth0 Link encap:Ethernet HWaddr b8:27:eb:af:87:64 inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::9cce:2ef4:91bc:ad15/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4357 errors:0 dropped:0 overruns:0 frame:0 TX packets:4249 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4523290 (4.3 MiB) TX bytes:593253 (579.3 KiB)
$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.0.1 0.0.0.0 UG 202 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
-
DNS settings for pfSense — https://doc.pfsense.org/index.php/General_Setup
DNS setting for linux depends on a linux system you are using, ex. https://askubuntu.com/questions/152593/command-line-to-list-dns-servers-used-by-my-systemUsing double NAT with private IP on WAN is always fun ;) As I understand you have unticked "Block private networks and loopback addresses" on WAN settings, don't you?
-
Found the DNS settings. Thanks.
Using double NAT with private IP on WAN is always fun As I understand you have unticked "Block private networks and loopback addresses" on WAN settings, don't you?
No I haven't. Please see attachment.
-
Found the DNS settings. Thanks.
Using double NAT with private IP on WAN is always fun As I understand you have unticked "Block private networks and loopback addresses" on WAN settings, don't you?
No I haven't. Please see attachment.
If I understand this https://doc.pfsense.org/index.php/Prevent_RFC1918_traffic_from_leaving_pfSense_via_the_WAN_interface right then in your scenario RFC1918 blocking rule is not applied, but we should wait until somebody confirms that.
-
So then how would acks have gotten to your linux box that were out of state? Did you reboot or reset your linux firewall? Pfsense does not forward traffic unless you have set it up, or there has been a state created and that traffic is in answer to a request.
All of those packets are from source port 443, so some site you talked to and these are the answers to your different dest ports.. Which are the source ports on your linux box..
-
So then how would acks have gotten to your linux box that were out of state? Did you reboot or reset your linux firewall?
No I didn't reboot or reset the Linux firewall.
Pfsense does not forward traffic unless you have set it up, or there has been a state created and that traffic is in answer to a request.
All of those packets are from source port 443, so some site you talked to and these are the answers to your different dest ports.. Which are the source ports on your linux box..
So is that normal ? Anything to worry about ?
-
It is normal for your linux firewall to be blocking them no.. If its traffic you created then our linux firewall should allow them. Only if they were out of state would your firewall block them. Only way they would be out of state is if they came from a different direction, ie asymmetrical. Your linux firewall was not aware of the state. Or this traffic was not actually meant for your linux machine. Did you change its IP address and are seeing some other machines return traffic.
That first IP
;; ANSWER SECTION:
12.94.189.91.in-addr.arpa. 3600 IN PTR feijoa.canonical.comcanonical is company that does ubuntu..
2nd IP is facebook
;; ANSWER SECTION:
7.65.13.31.in-addr.arpa. 3600 IN PTR xx-fbcdn-shv-01-atl3.fbcdn.net.3rd is amazon
;; ANSWER SECTION:
82.224.16.50.in-addr.arpa. 300 IN PTR ec2-50-16-224-82.compute-1.amazonaws.com.So these are all common IPs that your machine would normally be talking to.. So why your linux firewall is blocking them is not normal.. Unless out of state for some reason.
-
So what do you suggest I should do ?