Community discussions

 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Sun Oct 14, 2018 7:54 pm

Finding a firewalled connection

Sat Feb 16, 2019 9:27 am

Hello,

Quick question,

If you are getting a lot of hits on a FW rule, what is the best way to find what connection is causing this?

Regards
 
DummyPLUG
Frequent Visitor
Frequent Visitor
Posts: 79
Joined: Wed Jan 03, 2018 10:17 am

Re: Finding a firewalled connection

Sat Feb 16, 2019 10:23 am

Depends, but in most case I will log to a remote syslog server and exam later
 
nescafe2002
Long time Member
Long time Member
Posts: 624
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Finding a firewalled connection  [SOLVED]

Sat Feb 16, 2019 10:32 am

Do a Torch on the interface and you will see which host/protocol/port causes the most traffic.

You can enable logging on the specific rule, to memory will be fine for a limited time period.
 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Sun Oct 14, 2018 7:54 pm

Re: Finding a firewalled connection

Sat Feb 16, 2019 10:35 am

Yeah the log! OK got it, thanks, i have a disk set up for logging anyway, memory and space wont be a problem.

Is it normal BTW to see a lot of "drop all not coming from LAN" traffic"?

Regards
 
Pea
Member Candidate
Member Candidate
Posts: 191
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: Finding a firewalled connection

Sat Feb 16, 2019 1:49 pm

For home use with public IP you normally get few thousands hits per month.
Try instead of your final drop rule use this reject rule and see if hits get reduced after time:
add action=reject chain=input reject-with=icmp-admin-prohibited

Who is online

Users browsing this forum: No registered users and 38 guests