This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IVIEW / UTM / RULE 60002

i m trying iview on my utm.

So i check the results , and see that dashboard:

What is this rule 60002 ??

I looked for it , and didn t understand exactly what it is .

May this kind of "rule" or blocking traffic reduce my network reactivity?



This thread was automatically locked due to age.
  • Logmark Table

    Logmark Value Iptables Chain Description Target
     60001 filter:INPUT Input Default Drop LOGDROP
     60002 filter:FORWARD   Forward Default Drop LOGDROP
     60003 filter:OUTPUT Output Default Drop LOGDROP 
     60004 filter:AUTO_INPUT   Forbidden SSH connects LOGDROP 
     60005 filter:AUTO_INPUT Forbidden WebAdmin connects   LOGDROP
    60006 filter:AUTO_INPUT Allowed WebAdmin connects (if logging enabled) LOGACCEPT
    60007 filter:INVALID_PKT Drop invalid packets LOGDROP
    60008 filter:SPOOF_DROP Drop spoofed packets LOGDROP
    60009 filter:STRICT_TCP_STATE Drop packets with suspicious tcp state LOGDROP
    60010 mangle:PREROUTING Log FTP data connections LOG
    60011 mangle:PREROUTING Log DNS requests LOG
    60012 raw:PREROUTING Drop SYN_FLOOD attempts LOG and DROP
    60013 raw:PREROUTING Drop UDP_FLOOD attempts LOG and DROP
    60014 raw:PREROUTING Drop ICMP_FLOOD attempts LOG and DROP
    60015 mangle:PREROUTING ICMP invalid pkt LOG and DROP
    60016 mangle:PREROUTING ICMP Redirect LOG
    60017 filter:PSD_ACTION Portscan detected LOGDROP/LOGACCEPT
    60018 mangle:FORWARD SIP call LOG
    60019 mangle:SANITYCHECK License Usage Exceeded (Active IPs) LOG and DROP
    60020 mangle:FORWARD H323 call LOG
    60021 nat:USR_PRE, USR_POST or USR_OUTPUT Connection using NAT LOG
    60100...60199 ips:AFC_IM_$protocol AFC Instant Messaging protocol LOG
    60200...60299 ips:AFC_P2P_$protocol AFC Peer-to-Peer/Filesharing protocol LOG
    60300...60399 ips:AFC_IPTV_$protocol AFC Internet TV protocol LOG
  • You will see default drops during session shutdown.   UTM's connection tracker closes its state tracker when it sees a disconnect request from either direction.   When the finish confirmation comes from the other end, it is blocked.    TCPFlags on those records will have FIN or RST.   These situations should be ignored.

  • What Douglas says is, that you will also see RST and FIN packets hit the default drop rules. I personally filter those out with a 'grep -Pv "RST|FIN"' while tailing through the raw packet filter logs on the firewalls themselves.

    It would be nice to see an option to disable these kind of log messages based on their TCP-flags. But being able to create an any rule dropping only for flags RST and FIN, would also suffice, as one could make that the last/bottom rule without logging.