Education please: don't understand blocked port 3128 entries in log

bri189

I'm hoping someone can educate me on why I'm seeing the below in my logs.

This is my single laptop (10.10.10.10) hooked to LAN side of pfSense (only machine on LAN), and pfSense LAN DHCP is configured for a 10.10.10.0/25 address range.  I have hundreds of these log entries polluting my log and not sure if there is a problem with my squid/squidGuard configuration or something else to be concerned of.

Jun 6 17:02:28 LAN 10.112.114.54:58623 127.0.0.1:3128 TCP:FA
Jun 6 17:02:28 LAN 10.112.114.54:58623 127.0.0.1:3128 TCP:FA
  Jun 6 17:02:27 LAN 10.112.114.54:58623 127.0.0.1:3128 TCP:FA
Jun 6 17:02:27 LAN 10.112.114.54:58623 127.0.0.1:3128 TCP:FA
Jun 6 16:50:27 LAN 10.10.10.10:50805         127.0.0.1:3128 TCP:FPA
Jun 6 16:50:24 LAN 10.112.114.54:58569 127.0.0.1:3128 TCP:FA
Jun 6 16:50:01 LAN 10.10.10.10:50805         127.0.0.1:3128 TCP:FPA
Jun 6 16:49:57 LAN 10.112.114.54:58569 127.0.0.1:3128 TCP:FA
Jun 6 16:49:48 LAN 10.10.10.10:50805         127.0.0.1:3128 TCP:FPA
Jun 6 16:49:44 LAN 10.112.114.54:58569 127.0.0.1:3128 TCP:FA
Jun 6 16:49:41 LAN 10.10.10.10:50805         127.0.0.1:3128 TCP:FPA
Jun 6 16:49:38 LAN 10.10.10.10:50805         127.0.0.1:3128 TCP:FPA
Jun 6 16:49:37 LAN 10.112.114.54:58569 127.0.0.1:3128 TCP:FA
Jun 6 16:49:36 LAN 10.10.10.10:50805         127.0.0.1:3128 TCP:FPA
Jun 6 16:49:35 LAN 10.10.10.10:50805         127.0.0.1:3128 TCP:FPA
Jun 6 16:49:35 LAN 10.10.10.10:50805         127.0.0.1:3128 TCP:FPA

How is my laptop connecting to loopback showing up in firewall logs?    How is whatever this errant 10.112.114.54 connecting to it's loopback showing up in firewall logs?

Thanks so much for taking the time to explain to me.

chris4916

It looks like you have configured Squid (proxy) in transparent mode:
the way this works is that request on LAN interface, port 80, is (transparently) redirected to Squid process listening on localhost, port 3128.

Regarding 10.112.114.54…. I've no idea  :-[
Are you sure there is:

• no wifi
• one single IP on your laptop

KOM

Those are out of state packets.  Ignore them.

bri189

Thanks KOM, Chris4916,

Correct, I'm using Squid in transparent mode; the confusion for me is that I don't understand how a packet headed for 127.0.0.1 on my computer ever leaves my eth1 interface (10.10.10.10) to show up in the firewall.

I'm not familiar with what an "out of state packet" is and that's probably the missing data I need before I feel good about simply creating a rule to ignore them (versus getting logged) versus something not working right.

Best information I could find on Google was on various sites that pointed back to misconfiguration or high-loads in a cluster environment (not the case here) or symptom of someone attacking.

https://www.google.com/?q=TCP+packet+out+of+state

The logs with a source (LAN) of 10.112.114.54 is concerning/confusing.  There physically wasn't anything else connected to the LAN at the time and my LAN is configured as 10.10.10.0/25.

I'm not overly concerned, just looking to get a better understanding (if you don't understand you logs, what good are they right?), thanks for the insights!

KOM

An out of state packet is one that was part of an established session but that session has since been torn down.  All of those blocks are for a FIN ACK (or FIN PUSH ACK), you will note.  The pfSense side says "I'm going to tear this connection down and close it!"  The other side says "OK", but pfSense has already torn the connection down so it sees the OK reply as an unsolicited new connection attempt and blocks it.

https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection