Strange logs…



  • There's a thing I can't understand. I have rules to only allow traffic on ports 80,443 from lan to wan. Still, I have a lot of entries on the firewall log like those on the attached image. And I can't block them. Why are they passing thru the firewall?

    Specs:
    Version   1.2.3-RELEASE
    built on Sun Dec 6 23:38:21 EST 2009
    FreeBSD 7.2-RELEASE-p5 i386
    Platform pfSense
    CPU Type Intel(R) Pentium(R) 4 CPU 2.00GHz

    packages:

    Dashboard  
    OpenVPN Status 1.5
    States Summary 0.5
    imspector 0.8-9
    phpSysInfo 2.5.4
    rate 0.9
    snort 2.8.5.3 pkg v. 1.24
    vnstat 1.6.3




  • Have you checked what those remote addresses are? They are most likely ftp servers and the entries in the log are from the ftp helper that automatically opens ports for active mode ftp.



  • 75.126.208.35-static.reverse.softlayer.com -> reversed dns.

    But the lan machine is not doing ftp. Probable infection?



  • 127.0.0.1:8021 <- 75.126.208.35:21 <- 192.168.25.44:1159

    this was in the states table. So, you're probably right. But, again, the computer is not doing ftp. hummm…..



  • Virus scanner doing database update checks with ftp?



  • It could be. I'll check it out. I've disabled ftp-user proxy and the lgos are gone. Don't have need for ftp from lan.


Log in to reply