Firewall sending syn request to random local IPs to port 80 and mostly port 22

yellow-strip · Jun 8, 2019, 7:12 AM

Just upgraded SW to 2.4.4-RELEASE-p3 several days ago. Looking into FW why I am having intermittent issues connecting to an IP with different protocols.

In researching this, I uncovered a very weird issue.

Looking at NTOPng alerts, pfsense is randomly sending syn requests to various local IPs for ports 80 and mostly to 22.

I can't figure out what process is causing this, nor how this even started. The system log is configured to capture all traffic for blocking AND passing. This "weird" traffic is not listed in the logs.

I have no idea why the firewall would even need to randomly attempt to generate this type of traffic.

I also included a picture with all the packages/services I have installed and running.

BTW, nothing like this is documented in ntop or netgate. I have check the forums and documentation.

isolatedvirus · Jun 8, 2019, 8:20 AM

check your firewall for any established connections. this doesnt appear to be normal behavior.

johnpoz · Jun 8, 2019, 8:48 AM

Why are you hiding rfc1918 space?

Did you setup load balancer? Its going to check if members of the pool are alive.. Do you have anything in your pools?

yellow-strip · Jun 9, 2019, 2:39 AM

The firewall does not establish a connection.

But, I did find out the cause of this.

There is an option in Ntop to discover new computers on the network. It does not mention it uses http and ssh for discovery.

"Active Network Discovery
Toggle the periodic discovery of network devices using multiple techniques that include ARP scan, MDNS and SSDP."

Thanks for the help.

bmeeks · Jun 9, 2019, 1:01 PM

@yellow-strip said in Firewall sending syn request to random local IPs to port 80 and mostly port 22:

The firewall does not establish a connection.

But, I did find out the cause of this.

There is an option in Ntop to discover new computers on the network. It does not mention it uses http and ssh for discovery.

"Active Network Discovery
Toggle the periodic discovery of network devices using multiple techniques that include ARP scan, MDNS and SSDP."

Thanks for the help.

So ntopng alerts on its own network host discovery traffic? That's kinda funny and ironic ... .

johnpoz · Jun 9, 2019, 1:08 PM

Yeah doesn't make a lot of sense for it to do that ;)

stephenw10 · Jun 9, 2019, 1:37 PM

Hmm, I guess good to know at least, but....