This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dropped packets to port 0

While looking at our FW logs I see UDP packets from internal devices sent to a FW interface with dstport=0.

2023:06:23-14:20:19 FWName ulogd[31041]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ethx.9" mark="0x1000" srcmac="aa:bb:cc:dd:ee" dstmac="00:11:22:33:44:55" srcip="192.168.xxx.abc" dstip="192.168.xxx.254" proto="17" length="28" tos="0x00" prec="0x00" ttl="128" srcport="62139" dstport="0"

I am curious if anyone know what these packets might be? I cannot find any information on valid use of port 0.


This thread was automatically locked due to age.
Parents
  • Hello  ,

    Thank you for reaching out to the community, this is due to the default drop, Sophos UTM cannot forward traffic that is sent to a masqueraded WAN IP address unless it was requested by a client behind Sophos UTM, or there is a NAT rule to redirect the traffic to an internal server, with the exception of services running on Sophos UTM itself. If a packet arrives and is not for one of the Sophos UTM's services, is not part of an established connection, and there is no NAT rule for it, it will be dropped as fwrule 60001.

    Usually, "fwrule 60001" means that you must configure a NAT rule, likely DNAT, or review the configuration of your existing NAT because the packet does not match the intended rule. Check for interface binding, that the source and destination ports are correct, that you are matching the correct protocol, for example, TCP, UDP, or both, and that the IP addresses are correct.

    You can learn more here - Sophos UTM: Packet filter log files.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hello  ,

    Thank you for reaching out to the community, this is due to the default drop, Sophos UTM cannot forward traffic that is sent to a masqueraded WAN IP address unless it was requested by a client behind Sophos UTM, or there is a NAT rule to redirect the traffic to an internal server, with the exception of services running on Sophos UTM itself. If a packet arrives and is not for one of the Sophos UTM's services, is not part of an established connection, and there is no NAT rule for it, it will be dropped as fwrule 60001.

    Usually, "fwrule 60001" means that you must configure a NAT rule, likely DNAT, or review the configuration of your existing NAT because the packet does not match the intended rule. Check for interface binding, that the source and destination ports are correct, that you are matching the correct protocol, for example, TCP, UDP, or both, and that the IP addresses are correct.

    You can learn more here - Sophos UTM: Packet filter log files.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

Children