Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 3 subscribers
  • Views 12205 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

inbound 443 & 80 connections

ICT Department1

Hi, I have set up a UTM all working fine outgoing for internet but started getting lots of [RST] connection which are inbound on ports 80 & 443.  I understand this to be normal and are dropped connections.  My question is how can I create a rule to stop them logging as they are just flooding the log !!!!

We are using a SG135 on firmware 9.504-1

 

Any advice??

15:56:18 Default DROP TCP  
52.94.217.61 : 443
10.1.3.208 : 33577
 
[RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:4c:0f:7c
15:56:22 Default DROP TCP  
18.194.108.186 : 443
10.1.3.169 : 57663
 
[RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:4c:0f:7c


This thread was automatically locked due to age.
  • 0

    There's no way to  selectively filter out RST packets, but you can filter out all HTTP/S responses not automatically accepted by conntrack by dropping them with a firewall rule.  Since you only showed lines from the Live Log, I can't give any more precise advice.

    Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    thanks bob, will this help?

    2017:10:23-00:01:04 gw2 ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth4" srcmac="00:1a:8c:4c:0f:7c" srcip="216.58.198.164" dstip="10.1.3.151" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="60538" tcpflags="RST"
    2017:10:23-00:01:07 gw2 ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth4" srcmac="00:1a:8c:4c:0f:7c" srcip="216.58.198.164" dstip="10.1.3.151" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="60538" tcpflags="RST"

  • 0 in reply to ICT Department1

    That's strange.  Usually, we see fwrule="60001" (drop out of the INPUT chain to an IP on an external interface).  This is a drop out of the OUTPUT chain to an internal IP.  Are you sure you don't have an Ethernet problem between the UTM and the device at 10.1.3.151?  Maybe an issue with that device?

    To just get rid of these drops, add a Service definition "HTTPS Response"="443->1:65536" and a firewall rule at the bottom of the list like 'Internet -> HTTPS Response -> {10.1.3.151} : Drop'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    no it happens to multiple devices on the 10.1.3 range, i am not getting any reports of issues when browsing though !!

    Lee

  • 0 in reply to BAlfson

    Tried to create the rule to drop and stop logging but doesnt seem to work.

    Lee

  • 0 in reply to ICT Department1

    I'd have thought that that would work, Lee.  Are you still seeing "60003" default drops?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Yes Bob, getting a bit frustrating now !!!

    2017:10:27-15:24:26 gw2 ulogd[32740]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth4" srcmac="00:1a:8c:4c:0f:7c" srcip="157.240.1.52" dstip="10.1.3.97" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="57864" tcpflags="RST"

Unfiltered HTML