Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall sending syn request to random local IPs to port 80 and mostly port 22

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 5 Posters 769 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yellow-strip
      last edited by

      Just upgraded SW to 2.4.4-RELEASE-p3 several days ago. Looking into FW why I am having intermittent issues connecting to an IP with different protocols.

      In researching this, I uncovered a very weird issue.

      Looking at NTOPng alerts, pfsense is randomly sending syn requests to various local IPs for ports 80 and mostly to 22.

      I can't figure out what process is causing this, nor how this even started. The system log is configured to capture all traffic for blocking AND passing. This "weird" traffic is not listed in the logs.

      I have no idea why the firewall would even need to randomly attempt to generate this type of traffic.

      I also included a picture with all the packages/services I have installed and running.

      BTW, nothing like this is documented in ntop or netgate. I have check the forums and documentation.

      Capture.JPG

      Capture-V2.jpg

      1 Reply Last reply Reply Quote 0
      • I
        isolatedvirus
        last edited by

        check your firewall for any established connections. this doesnt appear to be normal behavior.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Why are you hiding rfc1918 space?

          Did you setup load balancer? Its going to check if members of the pool are alive.. Do you have anything in your pools?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • Y
            yellow-strip
            last edited by

            The firewall does not establish a connection.

            But, I did find out the cause of this.

            There is an option in Ntop to discover new computers on the network. It does not mention it uses http and ssh for discovery.

            "Active Network Discovery
            Toggle the periodic discovery of network devices using multiple techniques that include ARP scan, MDNS and SSDP."

            Thanks for the help.

            bmeeksB 1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks @yellow-strip
              last edited by

              @yellow-strip said in Firewall sending syn request to random local IPs to port 80 and mostly port 22:

              The firewall does not establish a connection.

              But, I did find out the cause of this.

              There is an option in Ntop to discover new computers on the network. It does not mention it uses http and ssh for discovery.

              "Active Network Discovery
              Toggle the periodic discovery of network devices using multiple techniques that include ARP scan, MDNS and SSDP."

              Thanks for the help.

              So ntopng alerts on its own network host discovery traffic? That's kinda funny and ironic ... ☺ .

              1 Reply Last reply Reply Quote 1
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Yeah doesn't make a lot of sense for it to do that ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  Hmm, I guess good to know at least, but....

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.