Hello, i would like to extend this topic further, i have similar situation where lots of connections are established toward my client with 0/0 orig rate and bytes. I see that these connections are established backward only when client established connection to some https server. How i can filter such behavior and not brake client connection?
Any ideas why it's happening?
Personally i suppose, that this is some malicious behavior on client side and i want hold this number of unneeded connections low as possible on my router.
fw1.PNG
I have to start from quite a faraway point. One would expect that a firewall would only allow a TCP connection to establish when it receives a SYN packet from a client towards the server. But this requires a bit more resources to analyse the packets, so the connection tracking module allows to reduce the load by reducing the requirements, through setting
/ip ipsec connection tracking loose-tcp-tracking to
yes. And this setting is a default one, and for years it even was not available as a configuration item. With this setting, any TCP packet, even a mid-connection one, will create a tracked connection in the firewall.
Now you can see in your table that the source port is 443 (https), which is not the usual way how TCP connections are established - normally, the TCP server listens at a given port (443), and TCP clients use arbitrary ports above 10000 (depends on OS and settings), so the first packet's source port is, say, 54321 and destination port is 443.
But if someone else sends a SYN packet to 2.18.76.90:443 from the public IP address of your client, the server responds to the source address and port of that request, so the response lands at your client's WAN interface. With
loose-tcp-tracking set to
no, such packets will be dropped (because they are SYN,ACK ones); with
loose-tcp-tracking set to the (default)
yes, it creates a connection with a 5-minute lifetime.
So one explanation is that someone is running a SYN-flood attack to 2.18.76.90:443, spoofing the address of your client, and your firewall creates tracked connections due to this.
Setting
loose-tcp-tracking to
no should hide this issue from you. Even if your client doesn't need to connect to 2.18.76.90:443, the worst that can happen is that the admin of 2.18.76.90:443 will send your client's address to some list of spammers so the client will be denied access to other sites as well.
Another explanation is that your client actually does connect to 2.18.76.90:443, but the server doesn't respond, so the connection times out on both the client PC and the firewall, and when the response comes from the server, the client PC already ignores it.