Help needed understanding FW-Logs

  • Hi community,

    in my firewall-logs (network at home) there are two kinds of block-entries that keep repeating and I am just wondering what they might mean.

    block Dec 17 19:52:53 	INTRANET		TCP:RA	 
    block Dec 17 19:52:49 	INTRANET		TCP:FA
    This is my iPhone on the inside, and the server of my email and website on the outside. I am wondering what is happening there, because this get's logged in small burtst of 5-10 every now and then. I first thought the Mail-App might be causnig this, because it regulary checks for emails, even when not using the iPhone. But then I realized that the Port is 80 and not IMAPS (don't know the port). Does anyone have a good idea what might be happening here?

    block Dec 17 17:35:55 INTRANET TCP:RA 
    block Dec 17 17:35:50 INTRANET TCP:FPA
    block Dec 17 17:35:49 INTRANET TCP:RA 
    block Dec 17 17:35:45 INTRANET TCP:FPA
    block Dec 17 17:35:44 INTRANET TCP:FPA 
    block Dec 17 17:35:39 INTRANET TCP:FPA 
    block Dec 17 17:35:39 INTRANET TCP:FPA
    block Dec 17 17:35:39 INTRANET TCP:RA

    This is my wife's MacBook on the inside and on the outside. I guess it's some facebook-advertising subdomain. This is logged in slightly bigger bursts of 10-25 once in a while. I could not find any special activities of my wife on facebook being related to the logentries.
    To both, 1) and 2) … do you have any suggestions what is happening here to cause the blocks? I am not that deep into TCP/IP to really understand what it means when FINACK, RSTACK and so on are blocked. For example, I thought an FINACK would be a normal thing in TCP/IP ... why is that blocked? I thought, maybe it is sent from the webserver while the firewall does not think a FINACK is correct now, according to it's statetable? Maybe becuase it was not initiated from the client, but sent from the server? But then I saw, it is blocked on it's way to the server, not comming from the server, which really confused me.
    Another thing I am wondering is, why are 1) and 2) blocked so frequently, and nearly nothing else? Are my (web-/email-)server and facebook doing something really strange? I mean, mail and facebook are not the only things we're doning on the web :-)
    BTW: Up to now I don't have configured any special firewall rules on these interfaces.
    Thank you very much!!
    Kind regards,

  • Rebel Alliance Developer Netgate

Log in to reply