Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange logs

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X Offline
      XIII
      last edited by

      I have been getting some strange logs today:

      pf: 001450 rule 143/0(match): block in on ath0: (tos 0xb8, ttl 32, id 20834, offset 0, flags [DF], proto UDP (17), length 73) 7.1.167.194.7356 > 10.160.18.160.7356: UDP, length 45

      one is a DoD ip the other is a private ip, that is not on my network, but it looks like it came from my wifi?

      and then this on my WAN: looks like a DNS lookup was denied?
      pf: 000035 rule 0/0(match): block out on re0: (tos 0x0, ttl 64, id 40185, offset 0, flags [none], proto UDP (17), length 53) WANIP.37405 > 208.67.220.220.53: 30277+ A? ask.com. (25)

      there are several of the above logs, any idea what could be causing this?

      -Chris Stutzman
      Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
      Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
      freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
      Check out the pfSense Wiki

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        Those do look a bit odd. If the directions were reversed I might think they were out of state traffic.

        Sure nobody has associated to your AP with a hardcoded IP address?

        Is your state table maxing out?

        You might need to try running a packet capture around the time you're seeing those, if they are predictable, and looking it over in wireshark.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • X Offline
          XIII
          last edited by

          Not sure about the ap association, i do use the max for the key, though it is possible, I will be sure to do a packet capture next time i see it
          State table was fine.

          -Chris Stutzman
          Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
          Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
          freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
          Check out the pfSense Wiki

          1 Reply Last reply Reply Quote 0
          • X Offline
            XIII
            last edited by

            Well I saw it again the other date and did a packet capture but cant find either IP. This was as there were logs of it. This time it came in off the LAN instead of wireless.

            -Chris Stutzman
            Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
            Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
            freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
            Check out the pfSense Wiki

            1 Reply Last reply Reply Quote 0
            • ? This user is from outside of this forum
              Guest
              last edited by

              Definitely something you want to drill down and figure out.  It could be something running on a laptop (assumption based on the fact that traffic was seen in your wifi network and then your LAN) that's causing the traffic.  It may be benign or it may be malicious.  Better to chase it down with wireshark as jimp (forum question answerer supreme) recommended.  Please post back with whatever you find.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.