1. Home
  2. Networking Firewalls
  3. Strange outgoing traffic?

Strange outgoing traffic?

I recently set up some egress firewall rules on a machine being used purely as a secondary for mail and DNS. All other outgoing services are blocked.

However, I'm seeing the following occasional outgoing calls in the log - does anyone know what they might be?

Feb 19 07:14:05 edith kernel: IN= OUT=eth0 SRC=80.68.x.x DST=24.110.218.127 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=20548 DF PROTO=TCP SPT=1817 DPT=3247 WINDOW=52560 RES=0x00 ACK RST URGP=0

Feb 18 15:12:31 edith kernel: IN= OUT=eth0 SRC=80.68.x.x DST=221.222.170.114 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=21627 DF PROTO=TCP SPT=2310 DPT=3669 WINDOW=51840 RES=0x00 ACK RST URGP=0

Feb 17 04:04:11 edith kernel: IN= OUT=eth0 SRC=80.68.x.x DST=222.255.121.136 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=61952 DF PROTO=TCP SPT=1391 DPT=3496 WINDOW=5840 RES=0x00 ACK RST URGP=0

Jonathan

Reply to
Jonathan
Loading thread data ...

They're "FOAD" packets. You should have single incoming packets that are triggering each response.

24.110.218.127 (someone on Earthlink) tried to open a connection from their port 3247 to your port 1817. Your system ACKed their SYN packet, and told them to go away (RST) because nothing is listening on that port.

The other two packets you show are similar to hosts in China and Viet Nam.

Normal noise - welcome to the Internet. Normally, I wouldn't even bother logging this crap. One minor concern - the "WINDOW=" should be zero, rather that "keep talking", though the RST should do the job.

Old guy

Reply to
Moe Trin

Oh OK. Thanks.

I think I'll turn off the logging now since the firewall's been up a few weeks with no adverse effects.

Jonathan

Reply to
Jonathan

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.