Strange outgoing traffic
-
Hi there
i use pfsense 1.2.2
i'm getting strange firewall log entrys, i don't understand.Act Time If Source Destination Proto
Mar 16 12:51:19 WAN 62.159.xx.xxx:54322 74.217.78.111:80 TCP (F)
Mar 16 12:50:37 WAN 62.159.xx.xxx:63342 74.217.78.111:80 TCP (F)
Mar 16 12:50:17 WAN 62.159.xx.xxx:52215 74.217.78.111:80 TCP (F)
Mar 16 12:49:33 WAN 62.159.xx.xxx:63113 194.64.250.200:80 TCP (F)
Mar 16 12:48:54 WAN 62.159.xx.xxx:50014 194.64.250.200:80 TCP (F)
Mar 16 12:44:49 WAN 62.159.xx.xxx:61229 217.79.188.21:80 TCP (F)
Mar 16 12:44:09 WAN 62.159.xx.xxx:53494 217.79.188.21:80 TCP (F)62.159.xx.xxx is my public IP on the WAN Interface
What the hack is this ?
The Destionation IP changes
-
So, something on your network is connecting to web servers on those IP addresses.
74.217.78.111 - updates.installshield.com
194.64.250.200 - adserv.quality-channel.de
217.79.188.21 - no rDNS, German hostWhat's so strange about that?
-
Nothing strange, if the traffic wouldn't be shown up as blocked….
The firewall shows the traffic as blocked
I mean, traffic to Port 80 is allowed by default... -
1.2.2
built on Thu Jan 8 23:09:11 EST 2009
on Embedded…I'm also seeing strange things in my Firewall log.
Why is legitimate surfing to websites being logged as blocked traffic?
-> block drop in log quick all label "Default deny rule"
It doesn't really seem to be blocking, or is it ???What "Default deny rule" are they referring to here?
I have a rule on LAN to allow all traffic to WAN.
I am starting to loose confidence in pfSense.
Firewall Logs:
Act Time If Source Destination Proto
Mar 28 19:42:34 WAN 209.73.189.216:80 74.187.30.18:57705 TCP
Mar 28 19:41:54 WAN 209.73.189.216:80 74.187.30.18:57705 TCP
Mar 28 19:41:34 WAN 209.73.189.216:80 74.187.30.18:57705 TCP
Mar 28 19:41:24 WAN 209.73.189.216:80 74.187.30.18:57705 TCP
Mar 28 19:41:19 WAN 209.73.189.216:80 74.187.30.18:57705 TCP
Mar 28 19:41:16 WAN 209.73.189.216:80 74.187.30.18:57705 TCP
Mar 28 19:39:44 WAN 74.187.30.18:50375 117.53.171.171:80 TCP
Mar 28 19:39:44 WAN 74.187.30.18:57704 117.53.171.171:80 TCP
Mar 28 19:39:35 WAN 74.187.30.18:65174 117.53.171.171:80 TCP
Mar 28 19:39:35 WAN 74.187.30.18:52965 117.53.171.171:80 TCP
Mar 28 19:39:35 WAN 74.187.30.18:60846 117.53.171.171:80 TCP
Mar 28 19:39:32 WAN 74.187.30.18:60934 117.53.171.171:80 TCP
Mar 28 19:39:32 WAN 74.187.30.18:59867 117.53.171.171:80 TCP
Mar 28 19:39:23 WAN 74.187.30.18:52933 117.53.171.171:80 TCP
Mar 28 19:39:20 WAN 74.187.30.18:50484 117.53.171.171:80 TCP
Mar 28 19:39:01 WAN 74.187.30.18:59536 117.53.171.171:80 TCP
Mar 28 19:39:01 WAN 74.187.30.18:57104 117.53.171.171:80 TCP
Mar 28 19:38:57 WAN 74.187.30.18:60855 117.53.171.171:80 TCP
Mar 28 19:38:57 WAN 74.187.30.18:55239 117.53.171.171:80 TCP
Mar 28 19:38:57 WAN 74.187.30.18:55808 117.53.171.171:80 TCP
Mar 28 19:38:55 WAN 74.187.30.18:50737 117.53.171.171:80 TCP -
-
Thank you jimp for pointing us to the answer.
Though I see the point that is being made here,
It seems absurd/alarming that the logs are reporting SO MUCH of this occurring…Makes me want to ignore the Firewall logs now.
Which defeats the purpose of the logs, to begin with...