My firewall log very much resembles that in the first post of this thread - https://community.sophos.com/utm-firewall/f/management-networking-logging-and-reporting/34526/firewall-log-full-of-default-drops-when-web-browsing#
Also reference this kb article - https://support.sophos.com/support/s/article/KB-000034235?language=en_US
I've read through both entirely but am confused on the solution.
Near the bottom Chris Hill points out these two lines to add to the iptable.filter
-A OUTPUT ! -o eth2 -p tcp --tcp-flags SYN,ACK,FIN ACK,FIN -j ACCEPT
-A OUTPUT ! -o eth2 -p tcp --tcp-flags SYN,RST RST -j ACCEPT
My confusion lies in why these are ACCEPTed and not DROPped? As documented in this post - https://community.sophos.com/utm-firewall/f/management-networking-logging-and-reporting/34526/firewall-log-full-of-default-drops-when-web-browsing/349259#349259 , the ! indicates this rule is valid for all non wan-interfaces. A sample log entry looks like this on my end.
2022:05:01-17:42:50 utm ulogd[26004]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0.5" srcmac="96:6b:3b:12:34:56" srcip="142.250.64.228" dstip="10.10.5.110" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="43298" tcpflags="RST"
Log entry shows a source ip from the INTERNET but the source mac is from the LAN interface (vlan5 technically). How both be true? Or is this a good example of an invalid packet?
Given the packet identity (RST flag and on eth0.5), this satisfies the second rule above but the ACCEPT question still remains. Indeed this does work as the firewall log no longer contains a ton of these entries.
BAlfsonMaybe can shed some light on this? The KB article suggests this packet is coming from the internet.... But is it?
<<daze and confused>>
This thread was automatically locked due to age.