This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Lots of default drops in firewall log

I think any update would cause this.

2023:02:19-00:31:55 utm ulogd[22524]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="47" initf="eth2" mark="0x21bd" app="445" srcmac="00:16:4d:d1:96:c4" dstmac="c0:a0:0d:77:0b:b1" srcip="162.220.167.38" dstip="107.192.142.41" proto="17" length="497" tos="0x00" prec="0x00" ttl="117" srcport="7146" dstport="5102" 
2023:02:19-00:32:58 utm ulogd[22524]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0.4" srcmac="96:6b:3b:ef:56:2c" srcip="3.221.217.21" dstip="10.10.4.154" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="36662" tcpflags="RST" 

Then I found this thread through a google seearch - Lots of default drops in firewall log

iptable.filter
https://pastebin.com/dijEaPHt

ip6table.filter
https://pastebin.com/5nB7ndQ3

These go into /var/mdw/etc/iptables. Adjust the interface to reflect your wan interface.

Be sure to remove the first line of each as it identifies the file name and location. User:group is root:root, permission 644.

Reboot to complete.


This thread was automatically locked due to age.
  • I was trying to help my friend re-establish our site-to-site and as the usual - he would allow webadmin to be temp accessed from the outside so I could paste my RSA key in, establish the link, and then close off access.

    That doesn't even work anymore.  We've done this several times and now it magically doesn't work.

    My personal conspiracy theory/opinion:  Sabotage a product to get users to move on.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • I noticed on 9.714, having a logged fw rule to block inbound ssh traffic wasn't generating log entries specific to that rule, rather default ssh drops.  I can't remember if that's always been the case?