Some time in the last few weeks, the log on a CCR running 6.5 started getting filled with some strange entries. No configuration changes in either the system logging or firewall have been made, yet these messages started filling up the log:
08:37:57 firewall,info FTP forward: in:ether11 out:ether3, src-mac 00:24:c3:21:fc:46, proto TCP (SYN), xx.yy.72.99:53477->66.135.38.166:21, len 60
08:38:49 firewall,info FTP forward: in:ether11 out:ether3, src-mac 00:24:c3:21:fc:46, proto TCP (SYN), xx.yy.72.99:5804->70.60.227.176:21, len 60
08:39:22 firewall,info FTP forward: in:ether3 out:ether11, src-mac d4:ca:6d:89:36:71, proto TCP (SYN), 198.20.99.130:27032->xx.yy.72.211:21, len 40
08:39:30 firewall,info FTP forward: in:ether3 out:ether11, src-mac d4:ca:6d:89:36:71, proto TCP (SYN), 70.60.227.176:63339->xx.yy.72.103:21, len 52
08:39:49 firewall,info FTP forward: in:ether11 out:ether3, src-mac 00:24:c3:21:fc:46, proto TCP (SYN), xx.yy.72.99:32425->70.60.227.176:21, len 60
08:40:49 firewall,info FTP forward: in:ether11 out:ether3, src-mac 00:24:c3:21:fc:46, proto TCP (SYN), xx.yy.72.99:38037->70.60.227.176:21, len 60
08:41:49 firewall,info FTP forward: in:ether11 out:ether3, src-mac 00:24:c3:21:fc:46, proto TCP (SYN), xx.yy.72.99:12833->70.60.227.176:21, len 60We’re seeing these messages internal-internal traffic, internal-external traffic, and external-internal traffic, including traffic from The Dude to all points on our network.
I can’t share the firewall configuration, but there is nothing in there that would explicitly generate log entries.
The logging configuration itself is pretty much stock, except to increase the buffer and send a few things to remote syslog.
If this something that needs attention, great. Need to know what it is. If it doesn’t need attention, need to know what’s causing the log entries so I can turn it off to make room for more important information in the log.
Thanks,