OPNsense Forum

English Forums => General Discussion => Topic started by: myksto on December 18, 2017, 03:25:32 pm

Title: Firewall logs with plenty of blocked TCP:A, TCP-RA, TCP-S connections
Post by: myksto on December 18, 2017, 03:25:32 pm

Hello.
I've a lot of blocked connections like those in object in the LAN side.
In my LAN side I setup rules to permit access to internet through standard port (80, 443, 8080, 110, 443, 25, ecc.) and infact my pcs on LAN have no problem at all.
I saw no blocked page, no errors on the clients side, all site we surf on are accessible and all mail services are accessible too.
I actually have no connection problem so I'm wondering why my firewall logs are full of blocked connections and how I can avoid this.

Cheers, Michele.

Title: Re: Firewall logs with plenty of blocked TCP:A, TCP-RA, TCP-S connections
Post by: bartjsmit on December 18, 2017, 03:27:28 pm

Are these from known source IP addresses? You may be seeing port scanning activity against your firewall.

Bart...

Title: Re: Firewall logs with plenty of blocked TCP:A, TCP-RA, TCP-S connections
Post by: myksto on December 18, 2017, 03:39:43 pm

Hi and thanks for reply.
Yes they all come form known source ip addresses (192.168.59.190-191-192).
I have only 3 pc on the LAN and all of them generates those blocked connections.
I'm in an ambient test and those pc are of a fresh install. They have nothing but a browser (firefox) and a mail client (thunderbird) on board.
How can they do port scan against the firewall?
Is there any test I can do?

Title: Re: Firewall logs with plenty of blocked TCP:A, TCP-RA, TCP-S connections
Post by: bartjsmit on December 18, 2017, 03:43:03 pm

That's good; no rogue hosts on your network :-)

You can capture both sides of the traffic with tcpdump, Wireshark and the likes on the workstation and directly on OPNsense.

Analysis of the traces in Wireshark will tell you what's going on.

Bart...

Title: Re: Firewall logs with plenty of blocked TCP:A, TCP-RA, TCP-S connections
Post by: myksto on December 18, 2017, 04:22:08 pm

Wow, wireshark is a very powerful tool to use but very hard to learn too! :)
Anyway I'll give it a try.
In the meantime googleing I found an old post on the pfsense forum where some guys talk of some blocked packets. The story is very similar to mine and they say those're normal packet that can not be thrown out of the logs. This is the post https://forum.pfsense.org/index.php?topic=39960.0

What do you think about it?

Thanks again.

Title: Re: Firewall logs with plenty of blocked TCP:A, TCP-RA, TCP-S connections
Post by: myksto on December 19, 2017, 09:24:39 am

Well, after further analisys i found my "culprit".
In my computers I have free Adobe Reader DC 2018 installed. Well, Adobe setup probably installs a service called "AGSService.exe" (Adobe Genuine Software Integrity Service) which makes hundreds of connections to their servers (http port) every time computer starts or restarts and every 10-15 minutes. It really makes no sense. If Adobe likes to check their licenses well they could do it once a day, once a week, every once in a while and not.
I tested it with tcpdump and every 10-15 minutes it's a cascade of connections from those computers to Adobe's servers. I tried to stop AGSServices and all TCP-A, TCP-RA and TCP-S entries in the firewall log stop.
At the end of the analisys I guess I can consider those logs not harmful but very annoying so I decided to stop Adobe service. Adobe Reader works normally so my problem is clearly solved.

Thanks for suggestions.

Cheers, Michele.

Title: Re: Firewall logs with plenty of blocked TCP:A, TCP-RA, TCP-S connections
Post by: bartjsmit on December 19, 2017, 03:58:28 pm

Hats off; good bit of detective work  8)

Bart...