This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dropped packets to port 0

While looking at our FW logs I see UDP packets from internal devices sent to a FW interface with dstport=0.

2023:06:23-14:20:19 FWName ulogd[31041]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ethx.9" mark="0x1000" srcmac="aa:bb:cc:dd:ee" dstmac="00:11:22:33:44:55" srcip="192.168.xxx.abc" dstip="192.168.xxx.254" proto="17" length="28" tos="0x00" prec="0x00" ttl="128" srcport="62139" dstport="0"

I am curious if anyone know what these packets might be? I cannot find any information on valid use of port 0.


This thread was automatically locked due to age.
Parents
  • Hello  ,

    Thank you for reaching out to the community, this is due to the default drop, Sophos UTM cannot forward traffic that is sent to a masqueraded WAN IP address unless it was requested by a client behind Sophos UTM, or there is a NAT rule to redirect the traffic to an internal server, with the exception of services running on Sophos UTM itself. If a packet arrives and is not for one of the Sophos UTM's services, is not part of an established connection, and there is no NAT rule for it, it will be dropped as fwrule 60001.

    Usually, "fwrule 60001" means that you must configure a NAT rule, likely DNAT, or review the configuration of your existing NAT because the packet does not match the intended rule. Check for interface binding, that the source and destination ports are correct, that you are matching the correct protocol, for example, TCP, UDP, or both, and that the IP addresses are correct.

    You can learn more here - Sophos UTM: Packet filter log files.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Hello Vivek,

    thanks for your explanation. That is about what I was expecting. What I am wondering is if there is any way to figure out why these packets are being sent in the first place. I have captured a few using TCPdump, but I don't really know what to make of them.

    Perhaps I should just be grateful that everything is working ok and ignore them. But if there is something to learn here I would be interested to find out what is causing the packets to be sent.

Reply
  • Hello Vivek,

    thanks for your explanation. That is about what I was expecting. What I am wondering is if there is any way to figure out why these packets are being sent in the first place. I have captured a few using TCPdump, but I don't really know what to make of them.

    Perhaps I should just be grateful that everything is working ok and ignore them. But if there is something to learn here I would be interested to find out what is causing the packets to be sent.

Children