Strange outgoing traffic



  • Hi there

    i use pfsense 1.2.2
    i'm getting strange firewall log entrys, i don't understand.

    Act    Time  If  Source                  Destination                Proto
    Mar 16 12:51:19 WAN 62.159.xx.xxx:54322 74.217.78.111:80 TCP (F)
    Mar 16 12:50:37 WAN 62.159.xx.xxx:63342 74.217.78.111:80 TCP (F)
    Mar 16 12:50:17 WAN 62.159.xx.xxx:52215 74.217.78.111:80 TCP (F)
    Mar 16 12:49:33 WAN 62.159.xx.xxx:63113 194.64.250.200:80 TCP (F)
    Mar 16 12:48:54 WAN 62.159.xx.xxx:50014 194.64.250.200:80 TCP (F)
    Mar 16 12:44:49 WAN 62.159.xx.xxx:61229 217.79.188.21:80 TCP (F)
    Mar 16 12:44:09 WAN 62.159.xx.xxx:53494 217.79.188.21:80 TCP (F)

    62.159.xx.xxx is my public IP on the WAN Interface

    What the hack is this ?

    The Destionation IP changes



  • So, something on your network is connecting to web servers on those IP addresses.

    74.217.78.111 - updates.installshield.com
    194.64.250.200 - adserv.quality-channel.de
    217.79.188.21 - no rDNS, German host

    What's so strange about that?



  • Nothing strange, if the traffic wouldn't be shown up as blocked….
    The firewall shows the traffic as blocked
    I mean, traffic to Port 80 is allowed by default...



  • 1.2.2
    built on Thu Jan 8 23:09:11 EST 2009
    on Embedded…

    I'm also seeing strange things in my Firewall log.

    Why is legitimate surfing to websites being logged as blocked traffic?
    -> block drop in log quick all label "Default deny rule"
    It doesn't really seem to be blocking, or is it  ???

    What "Default deny rule" are they referring to here?

    I have a rule on LAN to allow all traffic to WAN.

    I am starting to loose confidence in pfSense.

    Firewall Logs:
            Act    Time  If  Source                  Destination          Proto
    Mar 28 19:42:34 WAN 209.73.189.216:80 74.187.30.18:57705 TCP
    Mar 28 19:41:54 WAN 209.73.189.216:80 74.187.30.18:57705 TCP
    Mar 28 19:41:34 WAN 209.73.189.216:80 74.187.30.18:57705 TCP
    Mar 28 19:41:24 WAN 209.73.189.216:80 74.187.30.18:57705 TCP
    Mar 28 19:41:19 WAN 209.73.189.216:80 74.187.30.18:57705 TCP
    Mar 28 19:41:16 WAN 209.73.189.216:80 74.187.30.18:57705 TCP
    Mar 28 19:39:44 WAN 74.187.30.18:50375 117.53.171.171:80 TCP
    Mar 28 19:39:44 WAN 74.187.30.18:57704 117.53.171.171:80 TCP
    Mar 28 19:39:35 WAN 74.187.30.18:65174 117.53.171.171:80 TCP
    Mar 28 19:39:35 WAN 74.187.30.18:52965 117.53.171.171:80 TCP
    Mar 28 19:39:35 WAN 74.187.30.18:60846 117.53.171.171:80 TCP
    Mar 28 19:39:32 WAN 74.187.30.18:60934 117.53.171.171:80 TCP
    Mar 28 19:39:32 WAN 74.187.30.18:59867 117.53.171.171:80 TCP
    Mar 28 19:39:23 WAN 74.187.30.18:52933 117.53.171.171:80 TCP
    Mar 28 19:39:20 WAN 74.187.30.18:50484 117.53.171.171:80 TCP
    Mar 28 19:39:01 WAN 74.187.30.18:59536 117.53.171.171:80 TCP
    Mar 28 19:39:01 WAN 74.187.30.18:57104 117.53.171.171:80 TCP
    Mar 28 19:38:57 WAN 74.187.30.18:60855 117.53.171.171:80 TCP
    Mar 28 19:38:57 WAN 74.187.30.18:55239 117.53.171.171:80 TCP
    Mar 28 19:38:57 WAN 74.187.30.18:55808 117.53.171.171:80 TCP
    Mar 28 19:38:55 WAN 74.187.30.18:50737 117.53.171.171:80 TCP


  • Rebel Alliance Developer Netgate



  • Thank you jimp for pointing us to the answer.

    Though I see the point that is being made here,
    It seems absurd/alarming that the logs are reporting SO MUCH of this occurring…

    Makes me want to ignore the Firewall logs now.

    Which defeats the purpose of the logs, to begin with...


Log in to reply