What does these messages mean ?



  • Hi,
    I just finished setting up pfSense. I use Linux as my OS. Below is a list of connections which Linux's firewall is blocking. Question is how are these connections getting through pfSense.

    $ dmesg |tail
    [ 8690.149440] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:c7:5c SRC=91.189.94.12 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=54520 WINDOW=28960 RES=0x00 ACK URGP=0 
    [ 8694.149208] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:c7:5c SRC=91.189.94.12 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=54520 WINDOW=28960 RES=0x00 ACK URGP=0 
    [ 8698.149653] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:c7:5c SRC=91.189.94.12 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=54520 WINDOW=28960 RES=0x00 ACK URGP=0 
    [ 8740.085477] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:21:12 SRC=31.13.65.7 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=53196 WINDOW=27960 RES=0x00 ACK URGP=0 
    [ 8752.289804] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:21:12 SRC=31.13.65.7 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=53202 WINDOW=27960 RES=0x00 ACK URGP=0 
    [ 8756.375139] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:21:12 SRC=31.13.65.7 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=53208 WINDOW=27960 RES=0x00 ACK URGP=0 
    [ 8756.467028] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:21:12 SRC=31.13.65.7 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=53210 WINDOW=27960 RES=0x00 ACK URGP=0 
    [ 8758.866149] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:21:12 SRC=31.13.65.7 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=53212 WINDOW=27960 RES=0x00 ACK URGP=0 
    [ 8866.172295] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:18:f5 SRC=31.13.73.36 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=44540 WINDOW=27960 RES=0x00 ACK URGP=0 
    [ 9126.470648] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:87:64:00:e0:4c:53:44:58:08:00:45:00:00:28:00:00:40:00:39:06:6e:c3 SRC=50.16.224.82 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=60832 WINDOW=26847 RES=0x00 ACK URGP=0 
    
    


  • Nobody ? :(




  • LAYER 8 Global Moderator

    Those are ACKs - so out of state..  So yeah any stateful firewall would block those..

    You prob have an asymmetrical routing problem would be the guess off the top of my head..  What is the gateway of your linux box.. draw up your network.



  • Thanks to both for your replies.

    My network :

    WAN
    IPv4 Configuration Type :Static

    IP:                    172.16.197.XXX
    Subnet Mask: 255.255.255.0
    GATEWAY:      172.16.197.1

    LAN

    IPv4 Address: Static IPV4
    IPV4 Address : 192.168.0.1

    Where is the DNS settings ? I have set it but forgot where it was

    Linux box

    $ ifconfig 
    eth0      Link encap:Ethernet  HWaddr b8:27:eb:af:87:64  
              inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
              inet6 addr: fe80::9cce:2ef4:91bc:ad15/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:4357 errors:0 dropped:0 overruns:0 frame:0
              TX packets:4249 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:4523290 (4.3 MiB)  TX bytes:593253 (579.3 KiB)
    
    
     $ route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    0.0.0.0         192.168.0.1     0.0.0.0         UG    202    0        0 eth0
    192.168.0.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0
    
    


  • DNS settings for pfSense — https://doc.pfsense.org/index.php/General_Setup
    DNS setting for linux depends on a linux system you are using, ex. https://askubuntu.com/questions/152593/command-line-to-list-dns-servers-used-by-my-system

    Using double NAT with private IP on WAN is always fun ;) As I understand you have unticked "Block private networks and loopback addresses" on WAN settings, don't you?



  • Found the DNS settings. Thanks.

    Using double NAT with private IP on WAN is always fun  As I understand you have unticked "Block private networks and loopback addresses" on WAN settings, don't you?

    No I haven't. Please see attachment.




  • @security_paranoid:

    Found the DNS settings. Thanks.

    Using double NAT with private IP on WAN is always fun  As I understand you have unticked "Block private networks and loopback addresses" on WAN settings, don't you?

    No I haven't. Please see attachment.

    If I understand this https://doc.pfsense.org/index.php/Prevent_RFC1918_traffic_from_leaving_pfSense_via_the_WAN_interface right then in your scenario RFC1918 blocking rule is not applied, but we should wait until somebody confirms that.


  • LAYER 8 Global Moderator

    So then how would acks have gotten to your linux box that were out of state?  Did you reboot or reset your linux firewall?  Pfsense does not forward traffic unless you have set it up, or there has been a state created and that traffic is in answer to a request.

    All of those packets are from source port 443, so some site you talked to and these are the answers to your different dest ports.. Which are the source ports on your linux box..



  • So then how would acks have gotten to your linux box that were out of state?  Did you reboot or reset your linux firewall?

    No I didn't reboot or reset the Linux firewall.

    Pfsense does not forward traffic unless you have set it up, or there has been a state created and that traffic is in answer to a request.

    All of those packets are from source port 443, so some site you talked to and these are the answers to your different dest ports.. Which are the source ports on your linux box..

    So is that normal ? Anything to worry about ?


  • LAYER 8 Global Moderator

    It is normal for your linux firewall to be blocking them no.. If its traffic you created then our linux firewall should allow them.  Only if they were out of state would your firewall block them.  Only way they would be out of state is if they came from a different direction, ie asymmetrical.  Your linux firewall was not aware of the state.  Or this traffic was not actually meant for your linux machine.  Did you change its IP address and are seeing some other machines return traffic.

    That first IP

    ;; ANSWER SECTION:
    12.94.189.91.in-addr.arpa. 3600 IN      PTR    feijoa.canonical.com

    canonical is company that does ubuntu..

    2nd IP is facebook
    ;; ANSWER SECTION:
    7.65.13.31.in-addr.arpa. 3600  IN      PTR    xx-fbcdn-shv-01-atl3.fbcdn.net.

    3rd is amazon
    ;; ANSWER SECTION:
    82.224.16.50.in-addr.arpa. 300  IN      PTR    ec2-50-16-224-82.compute-1.amazonaws.com.

    So these are all common IPs that your machine would normally be talking to..  So why your linux firewall is blocking them is not normal.. Unless out of state for some reason.



  • @johnpoz

    So what do you suggest I should do ?


Log in to reply