Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    “Default deny” rules в журнале

    Scheduled Pinned Locked Moved Russian
    22 Posts 4 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lucas1 @Konstanti
      last edited by

      @Konstanti
      Выключал Pfblocker. останавливал Snort - результат тот же.
      Кстати выглядит сейчас так на сервере через Wireshark:

      7008","22.126605","X.Y.16.80","dd.ddd.167.25","TCP","54","[TCP Dup ACK 6989#9] 52287 > 80 [ACK] Seq=316 Ack=4894561 Win=365568 Len=0"
      "7009","22.126646","X.Y.16.80","dd.ddd.167.25","TCP","54","[TCP Dup ACK 6989#10] 52287 > 80 [ACK] Seq=316 Ack=4894561 Win=365568 Len=0"
      "7010","22.126795","dd.ddd.167.25","X.Y.16.80","TCP","1494","80 > 52287 [ACK] Seq=5245921 Ack=316 Win=30336 Len=1440 [TCP segment of a reassembled PDU]"
      "7011","22.126844","X.Y.16.80","dd.ddd.167.25","TCP","54","[TCP Dup ACK 6989#11] 52287 > 80 [ACK] Seq=316 Ack=4894561 Win=365568 Len=0"
      "7012","22.126879","dd.ddd.167.25","X.Y.16.80","TCP","1494","80 > 52287 [ACK] Seq=5247361 Ack=316 Win=30336 Len=1440 [TCP segment of a reassembled PDU]"
      "7013","22.126923","X.Y.16.80","dd.ddd.167.25","TCP","54","[TCP Dup ACK 6989#12] 52287 > 80 [ACK] Seq=316 Ack=4894561 Win=365568 Len=0"
      "7014","22.152374","dd.ddd.167.25","X.Y.16.80","TCP","1494","[TCP Out-Of-Order] 80 > 52287 [ACK] Seq=4894561 Ack=316 Win=30336 Len=1440 [TCP segment of a reassembled PDU]"
      "7015","22.152499","X.Y.16.80","dd.ddd.167.25","TCP","54","52287 > 80 [ACK] Seq=316 Ack=4911841 Win=358400 Len=0"
      "7016","22.152549","dd.ddd.167.25","X.Y.16.80","TCP","1494","80 > 52287 [ACK] Seq=5248801 Ack=316 Win=30336 Len=1440 [TCP segment of a reassembled PDU]"
      "7017","22.152561","dd.ddd.167.25","X.Y.16.80","TCP","1494","80 > 52287 [ACK] Seq=5250241 Ack=316 Win=30336 Len=1440 [TCP segment of a reassembled PDU]"
      "7018","22.152595","X.Y.16.80","dd.ddd.167.25","TCP","54","[TCP Dup ACK 7015#1] 52287 > 80 [ACK] Seq=316 Ack=4911841 Win=358400 Len=0"
      "7019","22.152631","X.Y.16.80","dd.ddd.167.25","TCP","54","[TCP Dup ACK 7015#2] 52287 > 80 [ACK] Seq=316 Ack=4911841 Win=358400 Len=0"
      "7020","22.152659","dd.ddd.167.25","X.Y.16.80","TCP","1494","80 > 52287 [ACK] Seq=5251681 Ack=316 Win=30336 Len=1440 [TCP segment of a reassembled PDU]"
      "7021","22.152688","X.Y.16.80","dd.ddd.167.25","TCP","54","[TCP Dup ACK 7015#3] 52287 > 80 [ACK] Seq=316 Ack=4911841 Win=358400 Len=0"
      "7022","22.152724","dd.ddd.167.25","X.Y.16.80","TCP","1494","80 > 52287 [ACK] Seq=5253121 Ack=316 Win=30336 Len=1440 [TCP segment of a reassembled PDU]"
      "7023","22.152755","X.Y.16.80","dd.ddd.167.25","TCP","54","[TCP Dup ACK 7015#4] 52287 > 80 [ACK] Seq=316 Ack=4911841 Win=358400 Len=0"
      "7024","22.152847","dd.ddd.167.25","X.Y.16.80","TCP","1494","80 > 52287 [ACK] Seq=5254561 Ack=316 Win=30336 Len=1440 [TCP segment of a reassembled PDU]"
      "7025","22.152877","X.Y.16.80","dd.ddd.167.25","TCP","54","[TCP Dup ACK 7015#5] 52287 > 80 [ACK] Seq=316 Ack=4911841 Win=358400 Len=0"
      "7026","22.152924","dd.ddd.167.25","X.Y.16.80","TCP","1494","80 > 52287 [ACK] Seq=5256001 Ack=316 Win=30336 Len=1440 [TCP segment of a reassembled PDU]"
      "7027","22.152964","X.Y.16.80","dd.ddd.167.25","TCP","54","[TCP Dup ACK 7015#6] 52287 > 80 [ACK] Seq=316 Ack=4911841 Win=358400 Len=0"
      "7028","22.153021","dd.ddd.167.25","X.Y.16.80","TCP","1494","80 > 52287 [ACK] Seq=5257441 Ack=316 Win=30336 Len=1440 [TCP segment of a reassembled PDU]"
      "7029","22.153043","X.Y.16.80","dd.ddd.167.25","TCP","54","[TCP Dup ACK 7015#7] 52287 > 80 [ACK] Seq=316 Ack=4911841 Win=358400 Len=0"
      "7030","22.179272","dd.ddd.167.25","X.Y.16.80","TCP","1494","[TCP Out-Of-Order] 80 > 52287 [ACK] Seq=4911841 Ack=316 Win=30336 Len=1440 [TCP segment of a reassembled PDU]"
      "7031","22.179384","dd.ddd.167.25","X.Y.16.80","TCP","1494","80 > 52287 [ACK] Seq=5258881 Ack=316 Win=30336 Len=1440 [TCP segment of a reassembled PDU]"
      "7032","22.179417","X.Y.16.80","dd.ddd.167.25","TCP","54","52287 > 80 [ACK] Seq=316 Ack=4927681 Win=348416 Len=0"
      "7033","22.179456","dd.ddd.167.25","X.Y.16.80","TCP","1494","80 > 52287 [ACK] Seq=5260321 Ack=316 Win=30336 Len=1440 [TCP segment of a reassembled PDU]"
      "7034","22.179489","X.Y.16.80","dd.ddd.167.25","TCP","54","[TCP Dup ACK 7032#1] 52287 > 80 [ACK] Seq=316 Ack=4927681 Win=348416 Len=0"
      "7035","22.179531","dd.ddd.167.25","X.Y.16.80","TCP","1494","80 > 52287 [ACK] Seq=5261761 Ack=316 Win=30336 Len=1440 [TCP segment of a reassembled PDU]"
      "7036","22.179553","X.Y.16.80","dd.ddd.167.25","TCP","54","[TCP Dup ACK 7032#2] 52287 > 80 [ACK] Seq=316 Ack=4927681 Win=348416 Len=0"
      "7037","22.179645","dd.ddd.167.25","X.Y.16.80","TCP","1494","80 > 52287 [ACK] Seq=5263201 Ack=316 Win=30336 Len=1440 [TCP segment of a reassembled PDU]"
      "7038","22.179694","X.Y.16.80","dd.ddd.167.25","TCP","54","[TCP Dup ACK 7032#3] 52287 > 80 [ACK] Seq=316 Ack=4927681 Win=348416 Len=0"
      "7039","22.179779","dd.ddd.167.25","X.Y.16.80","TCP","1494","80 > 52287 [ACK] Seq=5264641 Ack=316 Win=30336 Len=1440 [TCP segment of a reassembled PDU]"
      "7040","22.179810","X.Y.16.80","dd.ddd.167.25","TCP","54","[TCP Dup ACK 7032#4] 52287 > 80 [ACK] Seq=316 Ack=4927681 Win=348416 Len=0"
      "7041","22.179883","dd.ddd.167.25","X.Y.16.80","TCP","1494","80 > 52287 [ACK] Seq=5266081 Ack=316 Win=30336 Len=1440 [TCP segment of a reassembled PDU]"
      "7042","22.179920","X.Y.16.80","dd.ddd.167.25","TCP","54","[TCP Dup ACK 7032#5] 52287 > 80 [ACK] Seq=316 Ack=4927681 Win=348416 Len=0"
      "7043","22.180017","dd.ddd.167.25","X.Y.16.80","TCP","1494","80 > 52287 [ACK] Seq=5267521 Ack=316 Win=30336 Len=1440 [TCP segment of a reassembled PDU]"
      "7044","22.180041","X.Y.16.80","dd.ddd.167.25","TCP","54","[TCP Dup ACK 7032#6] 52287 > 80 [ACK] Seq=316 Ack=4927681 Win=348416 Len=0"
      "7045","22.439852","dd.ddd.167.25","X.Y.16.80","TCP","1494","[TCP Retransmission] 80 > 52287 [ACK] Seq=4927681 Ack=316 Win=30336 Len=1440"
      "7046","22.499467","X.Y.16.80","dd.ddd.167.25","TCP","54","52287 > 80 [ACK] Seq=316 Ack=4944961 Win=345600 Len=0"
      "7047","22.999778","dd.ddd.167.25","X.Y.16.80","TCP","1494","[TCP Retransmission] 80 > 52287 [ACK] Seq=4944961 Ack=316 Win=30336 Len=1440"
      "7048","23.062031","X.Y.16.80","dd.ddd.167.25","TCP","54","52287 > 80 [ACK] Seq=316 Ack=4960801 Win=345600 Len=0"
      "7049","24.019738","dd.ddd.167.25","X.Y.16.80","TCP","1494","[TCP Retransmission] 80 > 52287 [ACK] Seq=4960801 Ack=316 Win=30336 Len=1440"

      На PfSense все вроде correct:

      23:56:42.003041 00:03:47:98:1b:80 > 76:49:50:73:85:f7, ethertype IPv4 (0x0800), length 1494: (tos 0x28, ttl 56, id 11840, offset 0, flags [DF], proto TCP (6), length 1480)
      DD.DDD.167.25.80 > X.Y.16.80.52287: Flags [.], cksum 0x9954 (correct), seq 1123201:1124641, ack 316, win 237, length 1440: HTTP
      23:56:42.003152 00:03:47:98:1b:80 > 76:49:50:73:85:f7, ethertype IPv4 (0x0800), length 1494: (tos 0x28, ttl 56, id 11841, offset 0, flags [DF], proto TCP (6), length 1480)
      DD.DDD.167.25.80 > X.Y.16.80.52287: Flags [.], cksum 0x0578 (correct), seq 1124641:1126081, ack 316, win 237, length 1440: HTTP
      23:56:42.003162 76:49:50:73:85:f7 > 00:03:47:98:1b:80, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 1183, offset 0, flags [DF], proto TCP (6), length 40)
      X.Y.16.80.52287 > DD.DDD.167.25.80: Flags [.], cksum 0x9d2d (correct), seq 316, ack 1120321, win 1507, length 0
      23:56:42.003272 00:03:47:98:1b:80 > 76:49:50:73:85:f7, ethertype IPv4 (0x0800), length 1494: (tos 0x28, ttl 56, id 11842, offset 0, flags [DF], proto TCP (6), length 1480)
      DD.DDD.167.25.80 > X.Y.16.80.52287: Flags [.], cksum 0x3a35 (correct), seq 1126081:1127521, ack 316, win 237, length 1440: HTTP
      23:56:42.003390 00:03:47:98:1b:80 > 76:49:50:73:85:f7, ethertype IPv4 (0x0800), length 1494: (tos 0x28, ttl 56, id 11843, offset 0, flags [DF], proto TCP (6), length 1480)
      DD.DDD.167.25.80 > X.Y.16.80.52287: Flags [.], cksum 0x5491 (correct), seq 1127521:1128961, ack 316, win 237, length 1440: HTTP

      L 1 Reply Last reply Reply Quote 0
      • L
        lucas1 @lucas1
        last edited by

        @lucas1
        После изменения в guest OS на сервере виртуализации в свойствах сетевого интерфейса режима VirtLO на Intel E1000 все заработало нормально.

        Записи Default Deny в журнале PfSense никак с этим не связаны.

        Checked Disable hardware checksum offloading повлияло на журналирование Alerts Pfblocker DNSBL. Теперь там появляются записи, правда IF и Sourse - Unknown.
        Но и это хорошо.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.