This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall log full of default drops when web browsing

Hi there,

Running a vanilla install of utm v9.205-12 as a VM running on VMware with two NICs attached. It's sitting behind an internet router running tomato USB.

On UTM The "External (WAN)" interface is 192.168.1.8 and default gateway 192.168.1.1 (tomato usb router)

The Internal interface is 192.168.42.1

All VM's running on vmware use 192.168.42.1 as their default gateway. On one of my VM's when I browse to say Gameplanet Forums - New Zealand's video game community after awhile I get flooded with default drops with source port 80 and random dst ports.

2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="23.23.250.228" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57252" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="54.252.165.43" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57230" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="68.232.44.121" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57222" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="176.32.102.89" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57241" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="68.232.44.121" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57224" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="68.232.44.121" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57227" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="176.32.102.89" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57245" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="68.232.44.121" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57228" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="176.32.102.89" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57242" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="68.232.44.121" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57225" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="68.232.44.121" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57223" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="74.125.204.95" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57226" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="117.18.237.139" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57240" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="184.84.63.139" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57239" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="54.252.165.43" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57229" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="202.124.127.46" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57236" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="202.124.127.46" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57235" tcpflags="RST"


I understand that these are red herrings but how do I stop them from being logged as it makes it difficult trawling through to find legitimate traffic that's being blocked

Disabing web filtering and the drops change to ACK FIN

2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="199.59.149.201" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="57600" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="202.124.127.46" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57593" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="202.124.127.46" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57594" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="202.124.127.46" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57595" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="31.13.82.32" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57610" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="176.32.102.89" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57602" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="23.23.250.228" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57606" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="176.32.102.89" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57598" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="176.32.102.89" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57599" tcpflags="ACK FIN" 
2014:09:09-17:20:33 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="23.23.250.228" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57607" tcpflags="ACK FIN" 


This is a fresh install, only FW rule I added was to allow 192.168.1.0/24 access the webadmin interface on 192.168.1.8





This thread was automatically locked due to age.
Parents
  • Hi there,

    Thanks for making me feel welcome. Have spent considerable time lurking on the forums checking out various threads.

    I've since rejigged my setup and configured UTM as the default gateway rather than having a router in between UTM and my vdsl2 modem

    I had tried that, albeit called reverse http and https (from another thread I found on here) but the drops still come in as default drops. I've since reimplemented those rules and so far I haven't seen the drops - weird.

    I'll keep an eye and report back
Reply
  • Hi there,

    Thanks for making me feel welcome. Have spent considerable time lurking on the forums checking out various threads.

    I've since rejigged my setup and configured UTM as the default gateway rather than having a router in between UTM and my vdsl2 modem

    I had tried that, albeit called reverse http and https (from another thread I found on here) but the drops still come in as default drops. I've since reimplemented those rules and so far I haven't seen the drops - weird.

    I'll keep an eye and report back
Children
No Data