[ previous ] [ next ] [ threads ]
 
 From:  "Matthew Steinblock" <matthew at mksolutions dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Log question
 Date:  Fri, 11 Feb 2005 09:17:26 -0500 
Actually that option is turned on.  It is logging packets blocked by default rule.


Matthew 


-----Original Message-----
From: Denis Mirassou [mailto:Mirassou at cict dot fr] 
Sent: Friday, February 11, 2005 8:13 AM
To: Matthew Steinblock
Subject: Re: [m0n0wall] Log question

Matthew Steinblock wrote:
>  That is strange, as I have only one rule in the DMZ, just as specified in the documentation.
> 
> Permit DMZ to * BUT LAN
> 
> The only thing getting blocked should be something from the DMZ going to LAN, not WAN.
> 
> 
> 
> Matthew Steinblock
> 
> ________________________________
> 
> MKSolutions
> Mobile Computer Specialists
> 
> PO Box 341
> Auburn, NE 68305
> 402.274.8529
> http://MKSolutions.net
> 
> ________________________________
> 

Mmm, So the "Log packets blocked by the default rule" option in the "diag_logs_settings.php" admin
page is not checked indeed ?

Denis

> -----Original Message-----
> From: Denis Mirassou [mailto:Mirassou at cict dot fr]
> Sent: Friday, February 11, 2005 1:50 AM
> To: Matthew Steinblock
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Log question
> 
> Matthew Steinblock wrote:
> 
>>I am getting the following log entry pretty frequently lately.  
>>
>>Act TIME            If  Source                 Destination
>>Proto
>>X17 22:21:53.381441 DMZ 192.168.1.100, port 80 152.163.100.139, port
>>38345 TCP
>>
>>The X means blocked.  What does the 17 mean.  Most entries do not have 
>>a number under Act, while others will have anything from 2 to 17.
>>
>>The DMZ is set up to allow everything except LAN.  Why is this being 
>>blocked?  Why always a bunch of these entries together with just one 
>>port difference?
>>
>>Thanks!
>> 
>>
>>Matthew Steinblock
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 
> Hi,
> 
> The "17" means, I think, that this event repeats 17 times.
> Traffic from IP 192.168.1.100, port 80 coming from your DMZ interface To destination address
152.163.100.139 port TCP 38345 is blocked.
> You have a firewall rule that blocks and log that, review your firewall rules.
> 
> Maybe It could be http responses from a web server 192.168.1.100 port 80 to a client
152.163.100.139 ?
> 
> Regards
> 
> Denis
> 
> 


-- 
         /\
      /\/  \
  O  / / Denis Mirassou
@|~|  Service Réseaux
/ \| Centre Interuniversitaire de Calcul de Toulouse (C.I.C.T)