Understanding firewall logs - source and destination addresses
I'm trying to track down a malware infestation that is getting some of our IPs blacklisted, so have created a firewall rule to block & log traffic to particular IPs.
That seems to be working fine, as I'm now seeing blocked traffic in the logs. The problem is, the IP shown as the source is on the WAN, one of the gateway IPs, not the internal machine. The destination IP is the external botnet target, so is "correct".
How do I work out what the actual source of this is?
I guess you put a block on the way out of WAN? Which seems to be after NAT is applied.
Put block rules on LAN and you should see the internal private LAN source IP, before NAT gets to it.
It's a floating rule. I also have similar rules on WAN, LAN and OPT1, but they don't seem to catch these. Not sure how.
So remove the floating rule.
what are the exact rules you have in place so we can see why other rules might not catch. Keep in mind other than floating rules are evaluated top down, first rule that hits would stop evaluation of the rest of the rules. So you see stuff like
any any default rule, and then below that rule you want to put in place and no wonder it does fire, since its never evaluated.