Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall packets passing rules

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      frankyyy
      last edited by

      Hey guys,

      I have several items appearing in my firewall logs, which show as below:

      Mar 25 12:57:22 NG0 203.37.xxx.zzz:22924 38.117.yyy.196:50174 TCP:S
      Mar 25 12:57:22 LAN 203.37.xxx.zzz:22924 38.117.yyy.196:50174 TCP:S
      Mar 25 12:57:18 NG0 203.37.xxx.zzz:22917 38.117.yyy.199:63554 TCP:S
      Mar 25 12:57:18 LAN 203.37.xxx.zzz:22917 38.117.yyy.199:63554 TCP:S
      Mar 25 12:57:03 NG0 203.37.xxx.zzz:22878 38.117.yyy.202:64555 TCP:S
      Mar 25 12:57:03 LAN 203.37.xxx.zzz:22878 38.117.yyy.202:64555 TCP:S

      The issue is that these are showing up as passed items but i have NONE of those ports open at all…., let alone any outgoing rules doing any logging.  The above is showing that one of my servers is the source.
      I do have an IPSEC tunnel to an external site running, however, the IP range is totally different!

      If i double click on the green icon next to the log the popup says:

      "The rule that triggered this action is:"

      ... but nothing further.

      Hope this makes sense.

      Any help would be greatly appreciated.

      Frank

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        It's also weird that the log shows the same traffic going in the same direction on LAN and WAN

        Do you have both WAN and LAN plugged into the same switch somehow?

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • F
          frankyyy
          last edited by

          Hey jimp,

          Thanks for the reply.  No i definitely don't have the WAN and LAN on the same switch.
          The setup is

          Internet –-- Modem --- PFSense (nat disabled) --- TMG (ISA replacement, with multiple public IPs) --- Switches --- Etc
          The PFSense box effectively just blocks unwanted traffic before it his the TMG router for the organisation.
          The weird thing is that PFSense blocks everything else as it should.  Packets without specific rules are being blocked by the default rule etc etc.  The packets given above are the only ones i've seen do this.  Very weird!

          Any ideas?

          Edit: I also created a specific block rule after my allow rules to block any unwanted traffic from the sources below.  Still the same result. Grrrrr!!

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            It's also weird that it is logging passed traffic. It usually only does that if you (a) have a rule set to do so, or (b) the FTP proxy or UPnP are involved.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • F
              frankyyy
              last edited by

              Hi jimp,

              You say if the ftp proxy are involved? Can you explain further?

              Also, should this show as port 21?

              I'm wondering if it's an auto update service (antivirus) trying to do an update via FTP or something…

              Frank

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                The FTP proxy has to put in a rule to allow traffic for the actual data connection. The control connection happens on port 21, but the data connection will happen between a high remote port on the server with a high source port from the client as well.

                I don't recall which of these gets logged, but I thought it logged one part of it as it happened.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • F
                  frankyyy
                  last edited by

                  Aha… i think that may be the cause...
                  Might be onto something jimp!

                  I will change the 'suspected' auto update source to update via another means and see how this goes.

                  Thanks for the great advice!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.