Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 2 subscribers
  • Views 5753 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unrecognized firewall log output

most_ahdy
Dear,
      I want to understand the attached output of the firewall log when I try to update Ubuntu 11.10 and this update related to Google Chrome.

Thanks,
Mostafa Aly


This thread was automatically locked due to age.
  • 0
    1.  Here are the only SYN packets in the firewall log (there are others but they all look like this - with different source addresses).  They're not directed at the end machine but at the firewall's external address itself so I was supposing they didn't have anything to do with the problem but were failed attempts from outside port scanning and such.  I've also included the lines above the SYN packets so you can see 60003, 60001, and 60004 drops.

    2014:05:14-01:02:53 Clamshell ulogd[15288]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:21:70:7a[:D]:b" srcip="174.35.40.35" dstip="192.168.11.39" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="38104" tcpflags="RST" 
    2014:05:14-01:13:28 Clamshell ulogd[15288]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:21:70:7a[:D]:b" srcip="204.17.140.102" dstip="192.168.11.39" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="49857" tcpflags="RST" 
    2014:05:14-01:22:17 Clamshell ulogd[15288]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="80:a1[:D]7:a6:38[:D]d" dstmac="8c:ae:4c:ff:c:7f" srcip="184.105.139.67" dstip="192.168.1.4" proto="17" length="113" tos="0x00" prec="0x00" ttl="52" srcport="53142" dstport="161" 
    2014:05:14-01:29:00 Clamshell ulogd[15288]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="80:a1[:D]7:a6:38[:D]d" dstmac="8c:ae:4c:ff:c:7f" srcip="216.120.248.241" dstip="192.168.1.4" proto="17" length="432" tos="0x00" prec="0x00" ttl="54" srcport="5080" dstport="5060" 
    2014:05:14-01:30:14 Clamshell ulogd[15288]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="80:a1[:D]7:a6:38[:D]d" dstmac="8c:ae:4c:ff:c:7f" srcip="222.174.72.18" dstip="192.168.1.4" proto="6" length="60" tos="0x00" prec="0x00" ttl="42" srcport="33206" dstport="23" tcpflags="SYN" 
    2014:05:14-01:30:16 Clamshell ulogd[15288]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="80:a1[:D]7:a6:38[:D]d" dstmac="8c:ae:4c:ff:c:7f" srcip="222.174.72.18" dstip="192.168.1.4" proto="6" length="60" tos="0x00" prec="0x00" ttl="42" srcport="33206" dstport="23" tcpflags="SYN" 
    2014:05:14-01:30:22 Clamshell ulogd[15288]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="80:a1[:D]7:a6:38[:D]d" dstmac="8c:ae:4c:ff:c:7f" srcip="222.174.72.18" dstip="192.168.1.4" proto="6" length="60" tos="0x00" prec="0x00" ttl="42" srcport="33206" dstport="23" tcpflags="SYN" 
    2014:05:14-01:32:32 Clamshell ulogd[15288]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60004" initf="eth1" srcmac="80:a1[:D]7:a6:38[:D]d" dstmac="8c:ae:4c:ff:c:7f" srcip="116.10.191.182" dstip="192.168.1.4" proto="6" length="44" tos="0x00" prec="0x00" ttl="100" srcport="6000" dstport="22" tcpflags="SYN"
      

    2.  I checked the web filter logs (I do have it turned on in transparent mode using the default rules and only blocking one category - nudity) and everything is "pass".  I am getting some odd entries, which are probably ok but I don't know what they are.  I've included a clip that shows passed traffic and some of the odd entries.  I've also turned the web filter off for a time to see if the issue goes away but it doesn't

    2014:05:14-08:21:01 Clamshell httpproxy[27931]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.11.39" dstip="184.27.178.25" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="74727" request="0xe1a27980" url="184.27.178.25/" exceptions="" error="" authtime="0" dnstime="4" cattime="112302" avscantime="0" fullreqtime="255376308" device="0" auth="0" category="9998" reputation="neutral" categoryname="Uncategorized"
    2014:05:14-08:21:20 Clamshell httpproxy[27931]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.11.38" dstip="65.55.68.119" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11194" request="0xfe3aee0" url="snt404-m.hotmail.com" exceptions="" error="" authtime="0" dnstime="14" cattime="1183754" avscantime="0" fullreqtime="33545302" device="0" auth="0" category="156" reputation="neutral" categoryname="Web Mail"
    2014:05:14-08:21:23 Clamshell httpproxy[27931]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.11.39" dstip="204.17.140.113" user="" statuscode="204" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xe2b56660" url="clients3.google.com/generate_204" exceptions="" error="" authtime="0" dnstime="156" cattime="548054" avscantime="0" fullreqtime="574464" device="0" auth="0" category="178" reputation="trusted" categoryname="Internet Services"
    2014:05:14-08:21:24 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs18.astaro.com' access time: 106ms"
    2014:05:14-08:21:25 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs14.astaro.com' access time: 139ms"
    2014:05:14-08:21:25 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs25.astaro.com' access time: 189ms"
    2014:05:14-08:21:25 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs26.astaro.com' access time: 304ms"
    2014:05:14-08:21:25 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs08.astaro.com' access time: 334ms"
    2014:05:14-08:21:26 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs22.astaro.com' access time: 376ms"
    2014:05:14-08:21:26 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs19.astaro.com' access time: 397ms"
    2014:05:14-08:21:27 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs12.astaro.com' access time: 382ms"
    2014:05:14-08:21:27 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs16.astaro.com' access time: 304ms"
    2014:05:14-08:21:27 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs24.astaro.com' access time: 107ms"
    2014:05:14-08:21:28 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs23.astaro.com' access time: 1229ms"
    2014:05:14-08:21:29 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs01.astaro.com' access time: 397ms"
    2014:05:14-08:21:29 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs04.astaro.com' access time: 399ms"
    2014:05:14-08:21:29 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs20.astaro.com' access time: 399ms"
    2014:05:14-08:21:30 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs05.astaro.com' access time: 403ms"
    2014:05:14-08:21:30 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs27.astaro.com' access time: 399ms"
    2014:05:14-08:21:31 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs21.astaro.com' access time: 418ms"
    2014:05:14-08:21:31 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs02.astaro.com' access time: 411ms"
    2014:05:14-08:21:31 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs11.astaro.com' access time: 433ms"
    2014:05:14-08:21:32 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs03.astaro.com' access time: 249ms"
    2014:05:14-08:21:32 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs17.astaro.com' access time: 506ms"
    2014:05:14-08:21:33 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs09.astaro.com' access time: 518ms"
    2014:05:14-08:21:33 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs10.astaro.com' access time: 510ms"
    2014:05:14-08:21:34 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs07.astaro.com' access time: 354ms"
    2014:05:14-08:21:34 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs15.astaro.com' access time: 472ms"
    2014:05:14-08:21:34 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs06.astaro.com' access time: 221ms"
    2014:05:14-08:21:35 Clamshell httpproxy[27931]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="820" message="server 'cffs13.astaro.com' access time: 229ms"
    2014:05:14-08:21:51 Clamshell httpproxy[27931]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.11.39" dstip="23.59.191.96" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="83486" request="0xe2e4f100" url="23.59.191.96/" exceptions="" error="" authtime="0" dnstime="4" cattime="106244" avscantime="0" fullreqtime="209283764" device="0" auth="0" category="9998" reputation="neutral" categoryname="Uncategorized"
    2014:05:14-08:22:20 Clamshell httpproxy[27931]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.11.39" dstip="31.13.77.55" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="418946" request="0xa611dc0" url="31.13.77.55/" exceptions="" error="" authtime="0" dnstime="4" cattime="107359" avscantime="0" fullreqtime="472994931" device="0" auth="0" category="9998" reputation="neutral" categoryname="Uncategorized"
    2014:05:14-08:22:24 Clamshell httpproxy[27931]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.11.39" dstip="204.17.140.112" user="" statuscode="204" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xe2c6aaa0" url="clients3.google.com/generate_204" exceptions="" error="" authtime="0" dnstime="752" cattime="107071" avscantime="0" fullreqtime="133976" device="0" auth="0" category="178" reputation="trusted" categoryname="Internet Services"

    3.  I have the IPS turned off
  • 0
    Hi,

    1. regarding the firewall log entries...
    If you don't have any DNATs then I don't understand why there is traffic heading to your internal PC for SSH, telnet, etc.

    I strongly suspect you have a misconfiguration and you should review your configuration, especially the NAT / Masq settings.

    2. please post in the Web Protection forum topic regarding your proxy logs, and mention the poor performance.

    Barry
  • 0
    I have the IPS turned off

    That's not the reason Barry suggested you look in the Intrusion Prevention log.  He was looking for Anti-DoS activity.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    After having this issue on my own system and reading through several threads like this, I have linked this issue on my own system to the "Do not scan files larger than X MB" option in the web filter.

    It seems if this setting is set excessively high, it will cause issues.  This is just a casual observation I've noted from fiddling with it, this isn't based on any knowledge of the actual function of the web filter.

    Problems seem to start happening if you set it higher than around 30 MB.

    I think the problem might be related to connections timing out while the AV scanning is occurring.

    Does anyone have any more experience with this or are you aware of any maximums regarding this value for the maximum file size scanned?

    OP, please first try turning off web filter all together and see if traffic passes.

    If this fixes the issue, try experimenting with the max file size scanned, starting somewhere real low like 8MB.  Make sure you actually reset the web filter by turning it off and then back on between all your changes.  You need to make sure the HTTP proxy actually restarts.

    Ian
Unfiltered HTML