Go daddy port scanning me?
-
-
I think packet capture is the wrong answer here. Its just going to lead to more questions and suspicion.
Perhaps never looking at the logs at all is a better answer. -
;D
Perhaps.
my original question was perhaps worded badly.
I am not really concerned or worried about this just wondering why on earth their servers are sending me lots of acks 24/7.
Just seems very strange to me when they would get blocked 24/7.
-
Wanna prank hackers? Open all your ports to a machine running no services at all and not listening on any ports.
-
Here is a question for you
Is it possible you have an asynchronous routing condition.. Is it possible that packets could leave your network in one direction, while return traffic gets routed to wrong host (pfsense)?
I am not clear on what you posted as being anything but a tcp dump.. How do you know those packets weren't passed.. What you posted didn't look like a firewall log to me. Looks like a tcpcump with some sort of filter applied.
Could you post the exact details of where that info came from, if you ran a tcpdump, what was the command line parameters you used? If you pulled it from a log, which exact log?
-
Here is a question for you
Is it possible you have an asynchronous routing condition.. Is it possible that packets could leave your network in one direction, while return traffic gets routed to wrong host (pfsense)?
I am not clear on what you posted as being anything but a tcp dump.. How do you know those packets weren't passed.. What you posted didn't look like a firewall log to me. Looks like a tcpcump with some sort of filter applied.
Could you post the exact details of where that info came from, if you ran a tcpdump, what was the command line parameters you used? If you pulled it from a log, which exact log?
I mate.
I have all logs go over to my syslog server - I admit I have left out the lines above the logs entries for each entry which shows the action and more detail…
here is an example of the full logs for 1 minute ago:
2013-08-06T16:35:31+01:00 192.168.0.254 pf: 00:00:00.118987 rule 1/0(match): block in on pppoe0: (tos 0x78, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 40)
2013-08-06T16:35:31+01:00 192.168.0.254 pf: 188.121.36.176.80 > MYIPADDRESS.45907: Flags [.], cksum 0xe8da (correct), ack 576104550, win 54, length 0
2013-08-06T16:35:39+01:00 192.168.0.254 pf: 00:00:08.174619 rule 1/0(match): block in on pppoe0: (tos 0x78, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 40)
2013-08-06T16:35:39+01:00 192.168.0.254 pf: 188.121.36.177.80 > MYIPADDRESS.22910: Flags [.], cksum 0x1094 (correct), ack 2458028443, win 54, length 0 -
And what is this rule exactly "rule 1/0(match)"
Can you post up your rules?
Can you find one of these blocks in your actual firewall log and click the red X so we can see the details of which rules triggered the block.
-
And what is this rule exactly "rule 1/0(match)"
Can you post up your rules?
to be perfectly honest I'm not sure which rule that would be…
I assumed that it was rejected by rule1/0 as it wasn't in the state table and no connection to that IP / port had been opened?
I though the Rule 1/0 was perhaps a way for the firewall to explain the State table?
my first 4 rules that reject traffic are as follows:
-
hmm just had a google about and it seems that rule 1/0 is the default deny rule?
-
When I look at my rules the default deny seems to be rule 3
The rule that triggered this action is:
@3 scrub on em3 all fragment reassemble
@3 block drop in log inet all label "Default deny rule IPv4"Which is why I asked if he could actually click the red X in his firewall log and get some details of what rule the firewall says it is.
If this is out of state traffic then yes it will be blocked.. And not uncommon to see such traffic when something gets disconnected, etc. But if this is really response from CRL checking of godaddy certs by his clients should be allowed.
-
When I look at my rules the default deny seems to be rule 3
The rule that triggered this action is:
@3 scrub on em3 all fragment reassemble
@3 block drop in log inet all label "Default deny rule IPv4"Which is why I asked if he could actually click the red X in his firewall log and get some details of what rule the firewall says it is.
If this is out of state traffic then yes it will be blocked.. And not uncommon to see such traffic when something gets disconnected, etc. But if this is really response from CRL checking of godaddy certs by his clients should be allowed.
ahh right mine is:
And yes I'd agree with you on the CRL side of things….but I am the only person at the moment who is using this exchange server.
PLUS these ACKs are coming from just 3 IPs 24/7!either I have missed something here or GoDaddy have...
-
"but I am the only person at the moment who is using this exchange server.
PLUS these ACKs are coming from just 3 IPs 24/7!"So the only traffic outbound from pfsense is this exchange server, there is NO clients behind pfsense?
Also the ips your seeing are NOT on the list from godaddy for their CRLs - but yes crl is a FQDN, and its served up from a CDN so its IP will change I would assume.
;; QUESTION SECTION:
;crl.godaddy.com. IN A;; ANSWER SECTION:
crl.godaddy.com. 855 IN CNAME gdcrl.godaddy.com.akadns.net.
gdcrl.godaddy.com.akadns.net. 12 IN A 50.63.243.228So its quite possible that IP changes..
As to the oscp
;; QUESTION SECTION:
;ocsp.godaddy.com. IN A;; ANSWER SECTION:
ocsp.godaddy.com. 1647 IN CNAME ocsp.godaddy.com.akadns.net.
ocsp.godaddy.com.akadns.net. 31 IN A 72.167.18.239I really would watch a full sniff to see if your sending out traffic to these IPs - which don't really seem to be CRL or OSCP.
