Dropped packets to port 0

Question

While looking at our FW logs I see UDP packets from internal devices sent to a FW interface with dstport=0. 
 2023:06:23-14:20:19 FWName ulogd[31041]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ethx.9" mark="0x1000" srcmac="aa:bb:cc:dd:ee" dstmac="00:11:22:33:44:55" srcip="192.168.xxx.abc" dstip="192.168.xxx.254" proto="17" length="28" tos="0x00" prec="0x00" ttl="128" srcport="62139" dstport="0" I am curious if anyone know what these packets might be? I cannot find any information on valid use of port 0.

Vivek Jagad · Answer

Hello Timotheus ,

Thank you for reaching out to the community, this is due to the default drop, Sophos UTM cannot forward traffic that is sent to a masqueraded WAN IP address unless it was requested by a client behind Sophos UTM, or there is a NAT rule to redirect the traffic to an internal server, with the exception of services running on Sophos UTM itself. If a packet arrives and is not for one of the Sophos UTM's services, is not part of an established connection, and there is no NAT rule for it, it will be dropped as fwrule 60001.

Usually, "fwrule 60001" means that you must configure a NAT rule, likely DNAT, or review the configuration of your existing NAT because the packet does not match the intended rule. Check for interface binding, that the source and destination ports are correct, that you are matching the correct protocol, for example, TCP, UDP, or both, and that the IP addresses are correct.

You can learn more here - Sophos UTM: Packet filter log files.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.