Firewall packets passing rules

frankyyy

Hey guys,

I have several items appearing in my firewall logs, which show as below:

Mar 25 12:57:22 NG0 203.37.xxx.zzz:22924 38.117.yyy.196:50174 TCP:S
Mar 25 12:57:22 LAN 203.37.xxx.zzz:22924 38.117.yyy.196:50174 TCP:S
Mar 25 12:57:18 NG0 203.37.xxx.zzz:22917 38.117.yyy.199:63554 TCP:S
Mar 25 12:57:18 LAN 203.37.xxx.zzz:22917 38.117.yyy.199:63554 TCP:S
Mar 25 12:57:03 NG0 203.37.xxx.zzz:22878 38.117.yyy.202:64555 TCP:S
Mar 25 12:57:03 LAN 203.37.xxx.zzz:22878 38.117.yyy.202:64555 TCP:S

The issue is that these are showing up as passed items but i have NONE of those ports open at all…., let alone any outgoing rules doing any logging.  The above is showing that one of my servers is the source.
I do have an IPSEC tunnel to an external site running, however, the IP range is totally different!

If i double click on the green icon next to the log the popup says:

"The rule that triggered this action is:"

... but nothing further.

Hope this makes sense.

Any help would be greatly appreciated.

Frank

jimp

It's also weird that the log shows the same traffic going in the same direction on LAN and WAN

Do you have both WAN and LAN plugged into the same switch somehow?

frankyyy

Hey jimp,

Thanks for the reply.  No i definitely don't have the WAN and LAN on the same switch.
The setup is

Internet –-- Modem --- PFSense (nat disabled) --- TMG (ISA replacement, with multiple public IPs) --- Switches --- Etc
The PFSense box effectively just blocks unwanted traffic before it his the TMG router for the organisation.
The weird thing is that PFSense blocks everything else as it should.  Packets without specific rules are being blocked by the default rule etc etc.  The packets given above are the only ones i've seen do this.  Very weird!

Any ideas?

Edit: I also created a specific block rule after my allow rules to block any unwanted traffic from the sources below.  Still the same result. Grrrrr!!

jimp

It's also weird that it is logging passed traffic. It usually only does that if you (a) have a rule set to do so, or (b) the FTP proxy or UPnP are involved.

frankyyy

Hi jimp,

You say if the ftp proxy are involved? Can you explain further?

Also, should this show as port 21?

I'm wondering if it's an auto update service (antivirus) trying to do an update via FTP or something…

Frank

jimp

The FTP proxy has to put in a rule to allow traffic for the actual data connection. The control connection happens on port 21, but the data connection will happen between a high remote port on the server with a high source port from the client as well.

I don't recall which of these gets logged, but I thought it logged one part of it as it happened.

frankyyy

Aha… i think that may be the cause...
Might be onto something jimp!

I will change the 'suspected' auto update source to update via another means and see how this goes.

Thanks for the great advice!