Help needed understanding FW-Logs



  • Hi community,

    in my firewall-logs (network at home) there are two kinds of block-entries that keep repeating and I am just wondering what they might mean.

    block Dec 17 19:52:53 	INTRANET 	192.168.168.8:51203 	82.183.12.48:80		TCP:RA	 
    block Dec 17 19:52:49 	INTRANET 	192.168.168.8:51203 	82.183.12.48:80		TCP:FA
    ``` 
    This is my iPhone on the inside, and the server of my email and website on the outside. I am wondering what is happening there, because this get's logged in small burtst of 5-10 every now and then. I first thought the Mail-App might be causnig this, because it regulary checks for emails, even when not using the iPhone. But then I realized that the Port is 80 and not IMAPS (don't know the port). Does anyone have a good idea what might be happening here?
    
    2)
    

    block Dec 17 17:35:55 INTRANET 192.168.168.10:54402 31.13.81.23:443 TCP:RA 
    block Dec 17 17:35:50 INTRANET 192.168.168.10:54402 31.13.81.23:443 TCP:FPA
    block Dec 17 17:35:49 INTRANET 192.168.168.10:54398 31.13.81.23:443 TCP:RA 
    block Dec 17 17:35:45 INTRANET 192.168.168.10:54402 31.13.81.23:443 TCP:FPA
    block Dec 17 17:35:44 INTRANET 192.168.168.10:54398 31.13.81.23:443 TCP:FPA 
    block Dec 17 17:35:39 INTRANET 192.168.168.10:54398 31.13.81.23:443 TCP:FPA 
    block Dec 17 17:35:39 INTRANET 192.168.168.10:54402 31.13.81.23:443 TCP:FPA
    block Dec 17 17:35:39 INTRANET 192.168.168.10:54182 31.13.64.7:443 TCP:RA

    This is my wife's MacBook on the inside and star-01-02-fra2.facebook.com on the outside. I guess it's some facebook-advertising subdomain. This is logged in slightly bigger bursts of 10-25 once in a while. I could not find any special activities of my wife on facebook being related to the logentries.
    
    To both, 1) and 2) … do you have any suggestions what is happening here to cause the blocks? I am not that deep into TCP/IP to really understand what it means when FINACK, RSTACK and so on are blocked. For example, I thought an FINACK would be a normal thing in TCP/IP ... why is that blocked? I thought, maybe it is sent from the webserver while the firewall does not think a FINACK is correct now, according to it's statetable? Maybe becuase it was not initiated from the client, but sent from the server? But then I saw, it is blocked on it's way to the server, not comming from the server, which really confused me.
    
    Another thing I am wondering is, why are 1) and 2) blocked so frequently, and nearly nothing else? Are my (web-/email-)server and facebook doing something really strange? I mean, mail and facebook are not the only things we're doning on the web :-)
    
    BTW: Up to now I don't have configured any special firewall rules on these interfaces.
    
    Thank you very much!!
    
    Kind regards,
    Sascha

  • Rebel Alliance Developer Netgate


Locked