On Mon, Mar 23, 2020 at 12:45 PM Matt Darfeuille <m...@shorewall.org> wrote: > > On 3/23/2020 11:40 AM, Vieri Di Paola wrote: > > Hi, > > > > I set up my Shorewall gateway with the following logic: > > - accept incoming connections for ports tcp 443, 80, and several others. > > - all other connection attempts to other ports are dropped and the > > source IP address is included in an ipset blacklist so subsequent > > connection attempts even to "legit" open ports are dropped for x > > amount of time. > > > > In general, this works fine. > > > > However, once in a while I get what seem to be false positives. > > > > For instance a known user usually connects fine to port 443 with an > > external IP address (1.2.3.4). Somehow, at some point Shorewall > > reports the following line in the log: > > > > IN=ppp3 OUT= MAC= SRC=1.2.3.4 DST=4.3.2.1 LEN=72 TOS=0x00 PREC=0x00 > > TTL=48 ID=46761 DF PROTO=UDP SPT=41152 DPT=58129 LEN=52 MARK=0x3 > > > > Looks like you are showing truncated udp log when you are talking about > tcp ports?
I'm not sure I understand what you mean. I'm just pointing out that host with IP addr. 1.2.3.4 usually accesses our "published" HTTPS/HTTP services. No issues there. However, at times I can see that Shorewall reports traffic from that host but on UDP 58129 in this specific case. The user at that host says he/she does not use a program to connect to our public IP addresses via UDP 58129. So I'm trying to find out why this traffic was seen. > > The user has no idea what this UDP connection is for, and I haven't > > found any program using this port (58129 is supposed to be in the > > dynamic range). > > What dinamic range and are you sure of this? The Internet Assigned Numbers Authority (IANA) suggests the range 49152 to 65535 (215+214 to 216−1) for dynamic or private ports. So, 58129 is in this range. Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users