This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall log full of default drops when web browsing

Hi there,

Running a vanilla install of utm v9.205-12 as a VM running on VMware with two NICs attached. It's sitting behind an internet router running tomato USB.

On UTM The "External (WAN)" interface is 192.168.1.8 and default gateway 192.168.1.1 (tomato usb router)

The Internal interface is 192.168.42.1

All VM's running on vmware use 192.168.42.1 as their default gateway. On one of my VM's when I browse to say Gameplanet Forums - New Zealand's video game community after awhile I get flooded with default drops with source port 80 and random dst ports.

2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="23.23.250.228" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57252" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="54.252.165.43" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57230" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="68.232.44.121" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57222" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="176.32.102.89" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57241" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="68.232.44.121" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57224" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="68.232.44.121" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57227" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="176.32.102.89" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57245" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="68.232.44.121" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57228" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="176.32.102.89" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57242" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="68.232.44.121" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57225" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="68.232.44.121" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57223" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="74.125.204.95" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57226" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="117.18.237.139" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57240" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="184.84.63.139" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57239" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="54.252.165.43" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57229" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="202.124.127.46" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57236" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="202.124.127.46" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57235" tcpflags="RST"


I understand that these are red herrings but how do I stop them from being logged as it makes it difficult trawling through to find legitimate traffic that's being blocked

Disabing web filtering and the drops change to ACK FIN

2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="199.59.149.201" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="57600" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="202.124.127.46" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57593" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="202.124.127.46" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57594" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="202.124.127.46" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57595" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="31.13.82.32" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57610" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="176.32.102.89" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57602" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="23.23.250.228" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57606" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="176.32.102.89" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57598" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="176.32.102.89" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57599" tcpflags="ACK FIN" 
2014:09:09-17:20:33 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="23.23.250.228" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57607" tcpflags="ACK FIN" 


This is a fresh install, only FW rule I added was to allow 192.168.1.0/24 access the webadmin interface on 192.168.1.8





This thread was automatically locked due to age.
  • Hi and welcome to the UBB,
    you can simply though rules at this stage by just having one rule
    internal network -> any port -> any destination -> allow -> log

    You don't need a rule to allow access webadmin, you do that through the management functions, by allowing either networks or address, just make sure you have your internal network in the allowed list.

    You could enable the webproxy in transparent mode that will help with identifying dud sites.

    Ian
  • Hi there,

    Thanks, have removed all those rules and just added internal network -> any -> any

    The web filter is running in transparent mode so I still see all those RST hits :/
  • Hi, raab, and welcome to the User BB!

    First, refer to #2 in Rulz.  You can make a Firewall rule that drops those packets using a new Service definition: "HTTP Response" = {80->1:65535}.  Any luck with that?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi there,

    Thanks for making me feel welcome. Have spent considerable time lurking on the forums checking out various threads.

    I've since rejigged my setup and configured UTM as the default gateway rather than having a router in between UTM and my vdsl2 modem

    I had tried that, albeit called reverse http and https (from another thread I found on here) but the drops still come in as default drops. I've since reimplemented those rules and so far I haven't seen the drops - weird.

    I'll keep an eye and report back
  • So they're still appearing even though I have the rules there, is this correct?





    2014:09:11-14:11:28 labutm01 ulogd[14741]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="204.79.197.200" dstip="192.168.1.3" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="52293" tcpflags="RST" 
    2014:09:11-14:11:28 labutm01 ulogd[14741]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="204.79.197.200" dstip="192.168.1.3" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="52293" tcpflags="RST" 
    2014:09:11-14:11:30 labutm01 ulogd[14741]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="204.79.197.200" dstip="192.168.1.3" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="52293" tcpflags="RST" 
    2014:09:11-14:11:31 labutm01 ulogd[14741]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="204.79.197.200" dstip="192.168.1.3" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="52293" tcpflags="RST" 
    2014:09:11-14:11:33 labutm01 ulogd[14741]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="204.79.197.200" dstip="192.168.1.3" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="52293" tcpflags="RST" 
    2014:09:11-14:11:38 labutm01 ulogd[14741]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="204.79.197.200" dstip="192.168.1.3" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="52293" tcpflags="RST" 
  • Hi, if you are not having trouble browsing, then they are just from sessions that the browser or the firewall considers to be expired.

    You should be able to create a rule to drop them without logging, put it BELOW your other rules.

    Barry
  • Browsing is fine, just don't want those hits filling up the logs

    Per my screenshot I have the rules in place below the other rules but they still seem to hit the default drop
  • So I did the opposite and enabled logging on those drop rules and saw entries in the live log, though some were still getting through on the default drop.

    I noticed that those getting through have srcmac=0:50:56:88:15:54 on the end which is the MAC address of my External (WAN) interface.

    I don't quite understand the logic, can someone explain? Networking has never been my forte.
  • Hi,

    1. MAC addresses are always local or within 1 hop (ISP router's MAC); ignore them.

    2. Try a rule (AT THE BOTTOM) like:
    source: Internet
    service: (make a new service) - TCP source port 80, DST port 1024:65535
    dest: Internal Network
    DROP, no log

    Barry
  • Hi there,

    I have those rules in place already, at the bottom, however I'm still seeing default drops with source port 80 and/or 443 but the difference with those is they have the srcmac included in the live log

    Ah well