This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall log full of default drops when web browsing

Hi there,

Running a vanilla install of utm v9.205-12 as a VM running on VMware with two NICs attached. It's sitting behind an internet router running tomato USB.

On UTM The "External (WAN)" interface is 192.168.1.8 and default gateway 192.168.1.1 (tomato usb router)

The Internal interface is 192.168.42.1

All VM's running on vmware use 192.168.42.1 as their default gateway. On one of my VM's when I browse to say Gameplanet Forums - New Zealand's video game community after awhile I get flooded with default drops with source port 80 and random dst ports.

2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="23.23.250.228" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57252" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="54.252.165.43" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57230" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="68.232.44.121" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57222" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="176.32.102.89" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57241" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="68.232.44.121" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57224" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="68.232.44.121" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57227" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="176.32.102.89" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57245" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="68.232.44.121" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57228" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="176.32.102.89" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57242" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="68.232.44.121" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57225" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="68.232.44.121" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57223" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="74.125.204.95" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57226" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="117.18.237.139" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57240" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="184.84.63.139" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57239" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="54.252.165.43" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57229" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="202.124.127.46" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57236" tcpflags="RST" 
2014:09:09-17:06:27 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="202.124.127.46" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57235" tcpflags="RST"


I understand that these are red herrings but how do I stop them from being logged as it makes it difficult trawling through to find legitimate traffic that's being blocked

Disabing web filtering and the drops change to ACK FIN

2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="199.59.149.201" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="57600" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="202.124.127.46" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57593" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="202.124.127.46" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57594" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="202.124.127.46" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57595" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="31.13.82.32" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57610" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="176.32.102.89" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57602" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="23.23.250.228" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57606" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="176.32.102.89" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57598" tcpflags="ACK FIN" 
2014:09:09-17:20:32 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="176.32.102.89" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57599" tcpflags="ACK FIN" 
2014:09:09-17:20:33 labutm01 ulogd[4886]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:50:56:88:15:54" srcip="23.23.250.228" dstip="192.168.42.11" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="57607" tcpflags="ACK FIN" 


This is a fresh install, only FW rule I added was to allow 192.168.1.0/24 access the webadmin interface on 192.168.1.8





This thread was automatically locked due to age.
Parents
  • Hi there,

    I have those rules in place already, at the bottom, however I'm still seeing default drops with source port 80 and/or 443 but the difference with those is they have the srcmac included in the live log

    Ah well
  • Hello,

    fwrule 60003 indicates default drop rule from OUTPUT chain

    I have similar issue and so far the only solution I have found is:

    1. SSH to UTM and su to root

    2. look at the OUTPUT chain and find position of the last rule

    iptables -L OUTPUT

    3. add new rule to iptables, to drop RST packets without logging them. You have to place this rule before the last one in the chain. In my case it is 11.

    iptables -I OUTPUT 11 -p tcp --tcp-flags RST RST -j DROP

    This rule should remain in the table until next UTM reboot, then you have to re-apply it.

    Most likely it is possible to make this permanent by editing config files, but I haven't found that place yet.

    Please note that this is not a supported solution and you may void your support by this.

    Though I haven't observed any side effects so far, please use this method on your own risk, preferably in non-production or home systems only.

  • Okay, I have just found how to make the change permanent:

    1. SSH to UTM and su to root

    2. cd /var/mdw/etc/iptables and edit iptable.filter

    3. add this line: 

    -A OUTPUT -p tcp -m tcp --tcp-flags RST RST -j DROP

    just before:

    -A OUTPUT -m logmark --logmark 60003 -j LOGDROP

    4. save changes, reboot utm, check by executing iptables -L OUTPUT if the change is present

    Again, use on your own risk as this involves modifications on root account.

  • Hi, I was having the same warnings and discovered it is due to web users clicking the 'Cancel' button while a site is loading, which results in the web browser sending a FIN packet to Sophos Web Protection.

    Sophos Web Protection should send a FIN ACK or RST packet to acknowledge the browser's request (http://freesoft.org/CIE/RFC/1122/99.htm), but this is not allowed through by the Network Protection default rules for output, since only RELATED, ESTABLISHED packets are allowed, and that doesn't cover RST packets apparently (see https://unix.stackexchange.com/questions/223151/why-do-some-tcp-reset-packets-show-up-in-my-iptables-log/223240#223240). This leaves the client in the FIN_WAIT state and is therefore technically RFC noncompliant, as well as filling up the logs and executive reports with unnecessary warnings for the default drop rule for output (60003).

    I fixed this by adding rules to allow RST packets out using the method above: to be safe I would only enable this on interfaces where Web Protection is enabled:

    -A OUTPUT -o <web protection interface 1 e.g. eth0> -p tcp --tcp-flags RST RST -j ACCEPT

    -A OUTPUT -o <web protection interface 2 e.g. eth1> -p tcp --tcp-flags RST RST -j ACCEPT

    It would be good if Sophos would fix the firewall rules so that the final RST packet as specified by the RFC is actually sent.

  • Sophos acknowledge this issue when it relates to ACK RST or ACK FIN here (although interestingly not RST on its own):

    https://community.sophos.com/kb/en-us/114618

    Having tried the above rules in /var/mdw/etc/iptables/iptable.filter I found I also had some ACK FIN drops logged; in the end the following rules (in which I use '! -o <interface>' to apply them to *all* interfaces *except* the external facing interface) seem to do the job. Again, add them just above -A OUTPUT -m logmark --logmark 60003 -j LOGDROP in the file above:

    -A OUTPUT ! -o <external facing interface e.g. eth1> -p tcp --tcp-flags SYN,ACK,FIN ACK,FIN -j ACCEPT
    -A OUTPUT ! -o <external facing interface e.g. eth1> -p tcp --tcp-flags SYN,RST RST -j ACCEPT

    It would be good if this problem of dropped ACK FIN and RST outgoing packets could be resolved properly.

  • Chris-

    I am in the process of editing the iptable.filter file you have indicated. However I need a little syntax help. I am in question here:

    using: -A OUTPUT -o <web protection interface 1 e.g. eth0> -p tcp --tcp-flags RST RST -j ACCEPT

    should the correct syntax be -A OUTPUT -o <eth1> -p tcp --tcp-flags RST RST -j ACCEPT including the before and after carrot? Or the alternative of -A OUTPUT -o eth1 -p tcp --tcp-flags RST RST -j ACCEPT  In my case eth0 is the internet facing interface, eth1 is the internal interface. 

    Thank you in advance for your help!

    Jim

    Thanks,

    Jim

  • Hi Jim,

    I'd suggest using the second post that I made above https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/34526/firewall-log-full-of-default-drops-when-web-browsing/349259#349259 which will allow ACK,FIN as well as RST on everything that is *not* the external interface:

    -A OUTPUT ! -o <external facing interface - i.e. eth0> -p tcp --tcp-flags SYN,ACK,FIN ACK,FIN -j ACCEPT
    -A OUTPUT ! -o <external facing interface - i.e. eth0> -p tcp --tcp-flags SYN,RST RST -j ACCEPT

    (The 'carets' should NOT be included so in this case you'd use eth0, not <eth0>)

    If you prefer to use my original suggestion (which just allows RST):

    -A OUTPUT -o <web protection [internal] interface - i.e. eth1> -p tcp --tcp-flags RST RST -j ACCEPT

    Then you should also miss out the 'carets' and on this occasion use eth1.

    (The exclamation mark ! in the first set of rules is a logical 'not' to invert the filter).

  • Hi Chris,

     

    I added the line -A OUTPUT -o eth1 -p tcp --tcp-flags RST RST -j ACCEPT to iptable.filter directly above

    -A OUTPUT -m logmark --logmark 60003 -j LOGDROP. Hopefully this seriously reduces the number of RST entries in the log. Previously when I used -A OUTPUT -p tcp -m tcp --tcp-flags RST RST -j DROP there seemed to be a performance hit where looking at on line video was slow. Either way thank you again! Jim

Reply
  • Hi Chris,

     

    I added the line -A OUTPUT -o eth1 -p tcp --tcp-flags RST RST -j ACCEPT to iptable.filter directly above

    -A OUTPUT -m logmark --logmark 60003 -j LOGDROP. Hopefully this seriously reduces the number of RST entries in the log. Previously when I used -A OUTPUT -p tcp -m tcp --tcp-flags RST RST -j DROP there seemed to be a performance hit where looking at on line video was slow. Either way thank you again! Jim

Children
No Data