[ previous ] [ next ] [ threads ]
 
 From:  Denis Mirassou <Mirassou at cict dot fr>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Log question
 Date:  Fri, 11 Feb 2005 15:31:35 +0100 
Matthew Steinblock wrote:
> Actually that option is turned on.  It is logging packets blocked by default rule.
> 
> 
> Matthew 

Try to uncheck this option and see if same logs appear.
If no, then try to change rules on your DMZ interface :

deny DMZ to LAN
permit DMZ to *

Denis

> 
> -----Original Message-----
> From: Denis Mirassou [mailto:Mirassou at cict dot fr] 
> Sent: Friday, February 11, 2005 8:13 AM
> To: Matthew Steinblock
> Subject: Re: [m0n0wall] Log question
> 
> Matthew Steinblock wrote:
> 
>> That is strange, as I have only one rule in the DMZ, just as specified in the documentation.
>>
>>Permit DMZ to * BUT LAN
>>
>>The only thing getting blocked should be something from the DMZ going to LAN, not WAN.
>>
>>
>>
>>Matthew Steinblock
>>
>>________________________________
>>
>>MKSolutions
>>Mobile Computer Specialists
>>
>>PO Box 341
>>Auburn, NE 68305
>>402.274.8529
>>http://MKSolutions.net
>>
>>________________________________
>>
> 
> 
> Mmm, So the "Log packets blocked by the default rule" option in the "diag_logs_settings.php" admin
page is not checked indeed ?
> 
> Denis
> 
> 
>>-----Original Message-----
>>From: Denis Mirassou [mailto:Mirassou at cict dot fr]
>>Sent: Friday, February 11, 2005 1:50 AM
>>To: Matthew Steinblock
>>Cc: m0n0wall at lists dot m0n0 dot ch
>>Subject: Re: [m0n0wall] Log question
>>
>>Matthew Steinblock wrote:
>>
>>
>>>I am getting the following log entry pretty frequently lately.  
>>>
>>>Act TIME            If  Source                 Destination
>>>Proto
>>>X17 22:21:53.381441 DMZ 192.168.1.100, port 80 152.163.100.139, port
>>>38345 TCP
>>>
>>>The X means blocked.  What does the 17 mean.  Most entries do not have 
>>>a number under Act, while others will have anything from 2 to 17.
>>>
>>>The DMZ is set up to allow everything except LAN.  Why is this being 
>>>blocked?  Why always a bunch of these entries together with just one 
>>>port difference?
>>>
>>>Thanks!
>>>
>>>
>>>Matthew Steinblock
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>Hi,
>>
>>The "17" means, I think, that this event repeats 17 times.
>>Traffic from IP 192.168.1.100, port 80 coming from your DMZ interface To destination address
152.163.100.139 port TCP 38345 is blocked.
>>You have a firewall rule that blocks and log that, review your firewall rules.
>>
>>Maybe It could be http responses from a web server 192.168.1.100 port 80 to a client
152.163.100.139 ?
>>
>>Regards
>>
>>Denis
>>
>>
> 
> 
> 


-- 
         /\
      /\/  \
  O  / / Denis Mirassou
@|~|  Service Réseaux
/ \| Centre Interuniversitaire de Calcul de Toulouse (C.I.C.T)