Hi,
I observe that the following rules blocks some of my devices, and I’m wondering whether this is to be expected.
The rules are
chain=forward action=drop src-address-list=portscanners log=no log-prefix=""
chain=forward action=add-src-to-address-list protocol=udp psd=21,3s,3,1 address-list=portscanners address-list-timeout=1d log=yes log-prefix="udp port scanner detected"
The log shows the following entries
<date1> firewall,info udp port scanner detected forwa: in:bridge out:ether1, src-mac <masked>, proto UDP, <lan-ip1>:53260->103.212.181.14:2, len 43
<date2> firewall,info udp port scanner detected forwa: in:bridge out:ether1, src-mac <masked>, proto UDP, <lan-ip2>:58768->155.133.239.59:27036, len 444
<date3> firewall,info udp port scanner detected forwa: in:bridge out:ether1, src-mac <masked>, proto UDP, <lan-ip3>:9306->88.130.60.61:6862, len 122
I’m not sure about the first entry, but as far as I can tell, the second entry was caused by a gamer-PC starting a steam/valve-client, and the last entry was a playstation starting GTA.
The rules were introduced to prevent outgoing portscanners, and while it is a big success to have prevented those, I’m not entirely sure those were actually port scans, because it is unlikely that both the PC and the playstation is infected with malware, so it may just be the way those online games work.
Will each UDP packet add to the psd-trigger, or only ones for a new port?
Are my psd-parameters simply too tight?