Page 1 of 1

Finding a firewalled connection

Posted: Sat Feb 16, 2019 9:27 am
by TheSirStumfy
Hello,

Quick question,

If you are getting a lot of hits on a FW rule, what is the best way to find what connection is causing this?

Regards

Re: Finding a firewalled connection

Posted: Sat Feb 16, 2019 10:23 am
by DummyPLUG
Depends, but in most case I will log to a remote syslog server and exam later

Re: Finding a firewalled connection  [SOLVED]

Posted: Sat Feb 16, 2019 10:32 am
by nescafe2002
Do a Torch on the interface and you will see which host/protocol/port causes the most traffic.

You can enable logging on the specific rule, to memory will be fine for a limited time period.

Re: Finding a firewalled connection

Posted: Sat Feb 16, 2019 10:35 am
by TheSirStumfy
Yeah the log! OK got it, thanks, i have a disk set up for logging anyway, memory and space wont be a problem.

Is it normal BTW to see a lot of "drop all not coming from LAN" traffic"?

Regards

Re: Finding a firewalled connection

Posted: Sat Feb 16, 2019 1:49 pm
by Pea
For home use with public IP you normally get few thousands hits per month.
Try instead of your final drop rule use this reject rule and see if hits get reduced after time:
add action=reject chain=input reject-with=icmp-admin-prohibited