I mean all these connections originating from port 4809?
My guess would be P2P. Do you have access to that machine to check it out?
-Louis
No, it’s a client computer on an open hotspot in a harbour.
My guess is also P2P.
A large number of connections, rather constant use of bandwidth, IP addresses unable to reverse-DNS makes me believe this.
But I have added firewall rules for P2P.
This is my forward chain:
add chain=forward action=log connection-state=invalid log-prefix="INVALID" \
comment="Log invalid connections" disabled=no
add chain=forward action=drop connection-state=invalid comment="Drop invalid \
connections" disabled=no
add chain=forward action=accept connection-state=established \
comment="Established connections" disabled=no
add chain=forward action=accept connection-state=related comment="Related \
connections" disabled=no
add chain=forward action=jump jump-target=virus comment="!!! Check for \
well-known viruses !!!" disabled=no
add chain=forward action=log p2p=all-p2p log-prefix="DROP P2P" comment="Log \
P2P" disabled=no
add chain=forward action=drop p2p=all-p2p comment="Drop P2P" disabled=no
add chain=forward action=accept protocol=icmp comment="ICMP" disabled=no
add chain=forward action=log connection-state=new connection-mark=YouTube \
log-prefix="*YOUTUBE*" comment="YOUTUBE" disabled=no
add chain=forward action=jump jump-target=service comment="Check for valid \
services" disabled=no
add chain=forward action=log log-prefix="DROP Forward" comment="Log everything \
else" disabled=no
add chain=forward action=drop comment="Drop everything else" disabled=no
..and this is my services chain, allowing only specific services:
add chain=service action=accept dst-port=20 protocol=tcp comment="FTP" \
disabled=no
add chain=service action=accept dst-port=21 protocol=tcp comment="FTP" \
disabled=no
add chain=service action=accept dst-port=22 protocol=tcp comment="SSH,SFTP" \
disabled=no
add chain=service action=accept dst-port=23 protocol=tcp comment="TELNET" \
disabled=no
add chain=service action=accept dst-port=53 protocol=tcp comment="DNS" \
disabled=no
add chain=service action=accept dst-port=80 protocol=tcp comment="HTTP" \
disabled=no
add chain=service action=accept dst-port=179 protocol=tcp comment="BGP" \
disabled=yes
add chain=service action=accept dst-port=443 protocol=tcp comment="SHTTP" \
disabled=no
add chain=service action=accept dst-port=1080 protocol=tcp comment="SOCKS \
HOTSPOT" disabled=yes
add chain=service action=accept dst-port=1719 protocol=tcp comment="H232 \
Telephony" disabled=yes
add chain=service action=accept dst-port=1720 protocol=tcp comment="H232 \
Telephony" disabled=yes
add chain=service action=accept dst-port=1723 protocol=tcp comment="PPTP" \
disabled=no
add chain=service action=accept dst-port=1731 protocol=tcp comment="H323" \
disabled=no
add chain=service action=accept dst-port=2000 protocol=tcp comment="Bandwidth \
server" disabled=yes
add chain=service action=accept dst-port=2350 protocol=tcp comment="Service \
port 2350 Fj rholmen" disabled=no
add chain=service action=accept dst-port=2828 protocol=tcp comment="uPnP" \
disabled=yes
add chain=service action=accept dst-port=3128 protocol=tcp comment="WEB proxy" \
disabled=yes
add chain=service action=accept dst-port=3986 protocol=tcp comment="Winbox \
proxy" disabled=yes
add chain=service action=accept dst-port=3987 protocol=tcp comment="Winbox SSL \
proxy" disabled=yes
add chain=service action=accept dst-port=8080 protocol=tcp comment="Web proxy \
test" disabled=no
add chain=service action=accept dst-port=8291 protocol=tcp comment="Winbox" \
disabled=no
add chain=service action=accept dst-port=53 protocol=udp comment="DNS" \
disabled=no
add chain=service action=accept dst-port=67 protocol=udp comment="DHCP server" \
disabled=yes
add chain=service action=accept dst-port=68 protocol=udp comment="DHCP client" \
disabled=yes
add chain=service action=accept dst-port=123 protocol=udp comment="NTP" \
disabled=no
add chain=service action=accept dst-port=161 protocol=udp comment="SNMP" \
disabled=no
add chain=service action=accept dst-port=500 protocol=udp comment="IPSec" \
disabled=no
add chain=service action=accept dst-port=520 protocol=udp comment="RIP" \
disabled=no
add chain=service action=accept dst-port=521 protocol=udp comment="RIP" \
disabled=no
add chain=service action=accept dst-port=1701 protocol=udp comment="L2TP" \
disabled=no
add chain=service action=accept dst-port=1718 protocol=udp comment="H232 \
Telephony" disabled=yes
add chain=service action=accept dst-port=1900 protocol=udp comment="uPnP" \
disabled=yes
add chain=service action=accept dst-port=5000 protocol=udp comment="H232 \
Telephony" disabled=yes
add chain=service action=accept dst-port=5678 protocol=udp comment="Neighbour \
discovery" disabled=yes
add chain=service action=accept dst-port=20561 protocol=udp comment="MAC \
Winbox" disabled=yes
add chain=service action=accept dst-port=4 comment="ipip" disabled=no
/ ip firewall address-list
I’m wondering: Is it possible that the traffic I’m observing is running on established or related connections already allowed by “legal” service ports?
Will it be a good idea to put the P2P rule at the beginning, right after the “drop invalid” rule, like this:
add chain=forward action=log connection-state=invalid log-prefix="INVALID" \
comment="Log invalid connections" disabled=no
add chain=forward action=drop connection-state=invalid comment="Drop invalid \
connections" disabled=no
add chain=forward action=log p2p=all-p2p log-prefix="DROP P2P" comment="Log \
P2P" disabled=no
add chain=forward action=drop p2p=all-p2p comment="Drop P2P" disabled=no
add chain=forward action=accept connection-state=established \
comment="Established connections" disabled=no
add chain=forward action=accept connection-state=related comment="Related \
connections" disabled=no
add chain=forward action=jump jump-target=virus comment="!!! Check for \
well-known viruses !!!" disabled=no
Do you think that the P2P rule then will detect it as P2P?
I have no idea about how the P2P rule matches packet, is it by packet contents?
u have to put your p2p drop rule on the very top so it works
Ok, thanks!
Then I’ll put the P2P rule right after “drop invalid” as I suggested above.