I've got a m0n0wall box deployed for our webserver farm, and am seeing a large amout of seemingly
legitimate traffic being dropped. Trying to figure out what could be causing it, and am coming up
empty. Running version 1.2b10, had the same problem on 1.11, hence the upgrade.
01:41:41.026406 fxp1 @0:15 b 220.127.116.11,31362 -> scrubbed.104,80 PR tcp len 20 40 -A IN
01:41:42.645168 fxp0 @0:15 b scrubbed.106,80 -> 18.104.22.168,48017 PR tcp len 20 64 -AS IN
01:41:43.029323 fxp1 @0:15 b 22.214.171.124,59369 -> scrubbed.133,25 PR tcp len 20 40 -A IN
01:41:43.729461 fxp0 @0:15 b scrubbed.133,25 -> 126.96.36.199,3114 PR tcp len 20 89 -AFP IN
01:41:52.174792 fxp1 @0:10 b 10.14.0.16,55376 -> scrubbed.129,25 PR tcp len 20 52 -AF IN
Here are a few snippets of log entries that are being generated as drops by the default drop rule.
My config is located here : http://flash.shanje.com/myconfig.txt
From my understanding, my setup should allow all traffic from the opt1 network (fxp0) out to the
internet, and anything destined for ports
80,25,110,443,5631,5632,21,2000-2010,53,1433-1434,3306,etc...etc... should be allowed.
My main question is this....why are these packets getting dropped? Is it inspecting them and
finding them as malformed, or broken? Or is it simply the firewall having issues and barfing. Our
connection is pretty consistent above 5Mbit outbound (serving HTTP traffic) and most days sees
utilization between 7-10Mbit during the daytime hours.