Firewall packets passing rules
I have several items appearing in my firewall logs, which show as below:
Mar 25 12:57:22 NG0 203.37.xxx.zzz:22924 38.117.yyy.196:50174 TCP:S
Mar 25 12:57:22 LAN 203.37.xxx.zzz:22924 38.117.yyy.196:50174 TCP:S
Mar 25 12:57:18 NG0 203.37.xxx.zzz:22917 38.117.yyy.199:63554 TCP:S
Mar 25 12:57:18 LAN 203.37.xxx.zzz:22917 38.117.yyy.199:63554 TCP:S
Mar 25 12:57:03 NG0 203.37.xxx.zzz:22878 38.117.yyy.202:64555 TCP:S
Mar 25 12:57:03 LAN 203.37.xxx.zzz:22878 38.117.yyy.202:64555 TCP:S
The issue is that these are showing up as passed items but i have NONE of those ports open at all…., let alone any outgoing rules doing any logging. The above is showing that one of my servers is the source.
I do have an IPSEC tunnel to an external site running, however, the IP range is totally different!
If i double click on the green icon next to the log the popup says:
"The rule that triggered this action is:"
... but nothing further.
Hope this makes sense.
Any help would be greatly appreciated.
It's also weird that the log shows the same traffic going in the same direction on LAN and WAN
Do you have both WAN and LAN plugged into the same switch somehow?
Thanks for the reply. No i definitely don't have the WAN and LAN on the same switch.
The setup is
Internet –-- Modem --- PFSense (nat disabled) --- TMG (ISA replacement, with multiple public IPs) --- Switches --- Etc
The PFSense box effectively just blocks unwanted traffic before it his the TMG router for the organisation.
The weird thing is that PFSense blocks everything else as it should. Packets without specific rules are being blocked by the default rule etc etc. The packets given above are the only ones i've seen do this. Very weird!
Edit: I also created a specific block rule after my allow rules to block any unwanted traffic from the sources below. Still the same result. Grrrrr!!
It's also weird that it is logging passed traffic. It usually only does that if you (a) have a rule set to do so, or (b) the FTP proxy or UPnP are involved.
You say if the ftp proxy are involved? Can you explain further?
Also, should this show as port 21?
I'm wondering if it's an auto update service (antivirus) trying to do an update via FTP or something…
The FTP proxy has to put in a rule to allow traffic for the actual data connection. The control connection happens on port 21, but the data connection will happen between a high remote port on the server with a high source port from the client as well.
I don't recall which of these gets logged, but I thought it logged one part of it as it happened.
Aha… i think that may be the cause...
Might be onto something jimp!
I will change the 'suspected' auto update source to update via another means and see how this goes.
Thanks for the great advice!