Help needed understanding FW-Logs
-
Hi community,
in my firewall-logs (network at home) there are two kinds of block-entries that keep repeating and I am just wondering what they might mean.
block Dec 17 19:52:53 INTRANET 192.168.168.8:51203 82.183.12.48:80 TCP:RA block Dec 17 19:52:49 INTRANET 192.168.168.8:51203 82.183.12.48:80 TCP:FA ``` This is my iPhone on the inside, and the server of my email and website on the outside. I am wondering what is happening there, because this get's logged in small burtst of 5-10 every now and then. I first thought the Mail-App might be causnig this, because it regulary checks for emails, even when not using the iPhone. But then I realized that the Port is 80 and not IMAPS (don't know the port). Does anyone have a good idea what might be happening here? 2)
block Dec 17 17:35:55 INTRANET 192.168.168.10:54402 31.13.81.23:443 TCP:RA
block Dec 17 17:35:50 INTRANET 192.168.168.10:54402 31.13.81.23:443 TCP:FPA
block Dec 17 17:35:49 INTRANET 192.168.168.10:54398 31.13.81.23:443 TCP:RA
block Dec 17 17:35:45 INTRANET 192.168.168.10:54402 31.13.81.23:443 TCP:FPA
block Dec 17 17:35:44 INTRANET 192.168.168.10:54398 31.13.81.23:443 TCP:FPA
block Dec 17 17:35:39 INTRANET 192.168.168.10:54398 31.13.81.23:443 TCP:FPA
block Dec 17 17:35:39 INTRANET 192.168.168.10:54402 31.13.81.23:443 TCP:FPA
block Dec 17 17:35:39 INTRANET 192.168.168.10:54182 31.13.64.7:443 TCP:RAThis is my wife's MacBook on the inside and star-01-02-fra2.facebook.com on the outside. I guess it's some facebook-advertising subdomain. This is logged in slightly bigger bursts of 10-25 once in a while. I could not find any special activities of my wife on facebook being related to the logentries. To both, 1) and 2) … do you have any suggestions what is happening here to cause the blocks? I am not that deep into TCP/IP to really understand what it means when FINACK, RSTACK and so on are blocked. For example, I thought an FINACK would be a normal thing in TCP/IP ... why is that blocked? I thought, maybe it is sent from the webserver while the firewall does not think a FINACK is correct now, according to it's statetable? Maybe becuase it was not initiated from the client, but sent from the server? But then I saw, it is blocked on it's way to the server, not comming from the server, which really confused me. Another thing I am wondering is, why are 1) and 2) blocked so frequently, and nearly nothing else? Are my (web-/email-)server and facebook doing something really strange? I mean, mail and facebook are not the only things we're doning on the web :-) BTW: Up to now I don't have configured any special firewall rules on these interfaces. Thank you very much!! Kind regards, Sascha
-
http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F