What does these messages mean ?

security_paranoid

Hi,
I just finished setting up pfSense. I use Linux as my OS. Below is a list of connections which Linux's firewall is blocking. Question is how are these connections getting through pfSense.

$ dmesg |tail
[ 8690.149440] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:c7:5c SRC=91.189.94.12 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=54520 WINDOW=28960 RES=0x00 ACK URGP=0 
[ 8694.149208] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:c7:5c SRC=91.189.94.12 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=54520 WINDOW=28960 RES=0x00 ACK URGP=0 
[ 8698.149653] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:c7:5c SRC=91.189.94.12 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=54520 WINDOW=28960 RES=0x00 ACK URGP=0 
[ 8740.085477] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:21:12 SRC=31.13.65.7 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=53196 WINDOW=27960 RES=0x00 ACK URGP=0 
[ 8752.289804] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:21:12 SRC=31.13.65.7 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=53202 WINDOW=27960 RES=0x00 ACK URGP=0 
[ 8756.375139] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:21:12 SRC=31.13.65.7 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=53208 WINDOW=27960 RES=0x00 ACK URGP=0 
[ 8756.467028] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:21:12 SRC=31.13.65.7 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=53210 WINDOW=27960 RES=0x00 ACK URGP=0 
[ 8758.866149] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:21:12 SRC=31.13.65.7 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=53212 WINDOW=27960 RES=0x00 ACK URGP=0 
[ 8866.172295] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:18:f5 SRC=31.13.73.36 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=44540 WINDOW=27960 RES=0x00 ACK URGP=0 
[ 9126.470648] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:6e:c3 SRC=50.16.224.82 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=60832 WINDOW=26847 RES=0x00 ACK URGP=0

security_paranoid

Nobody ? :(

w0w

Something similar to https://askubuntu.com/questions/720455/would-active-connections-cause-this-ufw-block

johnpoz

Those are ACKs - so out of state.. So yeah any stateful firewall would block those..

You prob have an asymmetrical routing problem would be the guess off the top of my head.. What is the gateway of your linux box.. draw up your network.

security_paranoid

Thanks to both for your replies.

My network :

WAN
IPv4 Configuration Type :Static

IP: 172.16.197.XXX
Subnet Mask: 255.255.255.0
GATEWAY: 172.16.197.1

LAN

IPv4 Address: Static IPV4
IPV4 Address : 192.168.0.1

Where is the DNS settings ? I have set it but forgot where it was

Linux box

$ ifconfig 
eth0      Link encap:Ethernet  HWaddr b8:27:eb:af:87:64  
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::9cce:2ef4:91bc:ad15/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4357 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4249 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4523290 (4.3 MiB)  TX bytes:593253 (579.3 KiB)

 $ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    202    0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0

w0w

DNS settings for pfSense — https://doc.pfsense.org/index.php/General_Setup
DNS setting for linux depends on a linux system you are using, ex. https://askubuntu.com/questions/152593/command-line-to-list-dns-servers-used-by-my-system

Using double NAT with private IP on WAN is always fun ;) As I understand you have unticked "Block private networks and loopback addresses" on WAN settings, don't you?

security_paranoid

Found the DNS settings. Thanks.

Using double NAT with private IP on WAN is always fun As I understand you have unticked "Block private networks and loopback addresses" on WAN settings, don't you?

No I haven't. Please see attachment.

wan101.png_thumb

w0w

@security_paranoid:

Found the DNS settings. Thanks.

Using double NAT with private IP on WAN is always fun As I understand you have unticked "Block private networks and loopback addresses" on WAN settings, don't you?

No I haven't. Please see attachment.

If I understand this https://doc.pfsense.org/index.php/Prevent_RFC1918_traffic_from_leaving_pfSense_via_the_WAN_interface right then in your scenario RFC1918 blocking rule is not applied, but we should wait until somebody confirms that.

johnpoz

So then how would acks have gotten to your linux box that were out of state? Did you reboot or reset your linux firewall? Pfsense does not forward traffic unless you have set it up, or there has been a state created and that traffic is in answer to a request.

All of those packets are from source port 443, so some site you talked to and these are the answers to your different dest ports.. Which are the source ports on your linux box..

security_paranoid

So then how would acks have gotten to your linux box that were out of state? Did you reboot or reset your linux firewall?

No I didn't reboot or reset the Linux firewall.

Pfsense does not forward traffic unless you have set it up, or there has been a state created and that traffic is in answer to a request.

All of those packets are from source port 443, so some site you talked to and these are the answers to your different dest ports.. Which are the source ports on your linux box..

So is that normal ? Anything to worry about ?

johnpoz

It is normal for your linux firewall to be blocking them no.. If its traffic you created then our linux firewall should allow them. Only if they were out of state would your firewall block them. Only way they would be out of state is if they came from a different direction, ie asymmetrical. Your linux firewall was not aware of the state. Or this traffic was not actually meant for your linux machine. Did you change its IP address and are seeing some other machines return traffic.

That first IP

;; ANSWER SECTION:
12.94.189.91.in-addr.arpa. 3600 IN PTR feijoa.canonical.com

canonical is company that does ubuntu..

2nd IP is facebook
;; ANSWER SECTION:
7.65.13.31.in-addr.arpa. 3600 IN PTR xx-fbcdn-shv-01-atl3.fbcdn.net.

3rd is amazon
;; ANSWER SECTION:
82.224.16.50.in-addr.arpa. 300 IN PTR ec2-50-16-224-82.compute-1.amazonaws.com.

So these are all common IPs that your machine would normally be talking to.. So why your linux firewall is blocking them is not normal.. Unless out of state for some reason.

security_paranoid

@johnpoz

So what do you suggest I should do ?