[ previous ] [ next ] [ threads ]
 
 From:  Don Munyak <don dot munyak at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Need some help understanding why certain traffic is being blocked.
 Date:  Mon, 4 Apr 2005 14:43:34 -0400
I have noticed the following rule in ipfstat -nio

@17 block in log quick proto tcp from any to any

We are getting the following block traffic log:

Apr  4 23:13:04 m0n0wall ipmon[78]: 23:13:03.793845 rl1 @0:17 b
192.168.222.187,1677 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
Apr  4 23:13:04 m0n0wall ipmon[78]: 23:13:04.135305 rl1 @0:17 b
192.168.222.187,1675 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
Apr  4 23:13:04 m0n0wall ipmon[78]: 23:13:04.223278 rl1 @0:17 b
192.168.222.187,1678 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
Apr  4 23:13:04 m0n0wall ipmon[78]: 23:13:04.326783 rl1 @0:17 b
192.168.222.187,1679 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:04.569712 rl1 @0:17 b
192.168.222.187,1680 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:04.749627 rl1 @0:17 b
192.168.222.187,1683 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:04.971438 rl1 @0:17 b
192.168.222.187,1685 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:05.060978 rl1 @0:17 b
192.168.222.187,1684 -> 129.42.40.230,80 PR tcp len 20 40 -AF IN
Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:05.151938 rl1 @0:17 b
192.168.222.187,1686 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
Apr  4 23:13:21 m0n0wall ipmon[78]: 23:13:20.748817 rl1 @0:17 b
192.168.222.187,1692 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
Apr  4 23:13:21 m0n0wall ipmon[78]: 23:13:21.339997 rl1 @0:17 b
192.168.222.187,1696 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN

rl1 is the LAN gateway interface
xl1 is the WAN interface
r10 is DMZ interface (not being used)

I am unable to determine who 216.200.68.4 is.
192.168.222.187 is one of our LAN client PC's.

The only traffic I am blocking at the LAN interface is telnet and 445.
Why then are these packets being blocked.
Is there a simple expalnation or do I need to provide more information ?

I am also seeing the same kind of blocks for another "server" which we
are using for a ASP web application.

TIA,

- Don