Suspicious Activity on my OPNsense Firewall logs

[SerErris]

Hi looking at my firewall with a plain vanilla new install with OPNsense 24.1.4-amd64

I am getting a lot of firewall logs from the firewall itself to some unknown IP addresses .. I am not using a proxy currently.

The configuration is like this:
Two ports active: LAN and WAN
WAN is connected to Deutsche Telekom via Telekom Modem (VLAN 7 and PPPoE).

And thats about it. The rest is just default (not the internal IP adress range, but that is a different topic).

I also did install UPnP plugin.

So what is actually the firewall doing all around? I would not expect the firewall itself to send out a lot of packages, other than DNS requests.

[SerErris]

Hmm ...

I do not see any connection from my internal network (LAN) to external ... But as I am writing here at this point in time, I would expect some traffic from this computer to the forum server.

Anyone able to explain, what is going on and why I do not see the traffic in a normal way?

[h3zwe]

Not sure how you set up your firewall rules / what you expect to see, but this looks like standard 'clients going through the WAN interface'.

I haven't checked all of your IPs that are shown in the screenshot, but some, and they look 'normal'.

172.253.115.100 -> Google
167.235.201.139 > pool.ntp.org
162.125.6.20 -> Dropbox
184.86.251.146 -> Akamai

[SerErris]

Okay, here I do see some information:

So this is my PC (192.168.0.195) and it is connecting to somewhere ...

It always consists of two lines:

Code: [Select]

Direction  Source                     Gateway                        Destination
IN         192.168.0.195:5019                                        17.57.146.55:5223
OUT        myownip:49279      192.168.0.195:50194             17.57.146.55:5223

So that might explain why I only see those Out Firewall log entries ... But I am still surprised that I cannot see the simple Input from 192.168.0.195 to 17.57.146.55

Code: [Select]

Firewall: Diagnostics: Sessions

Proto Source                    Gateway      Destination               State                                        Age (sec) Expires (sec)                 Pkts Bytes    Rule
tcp 192.168.0.195:50194 17.57.146.55:5223 ESTABLISHED:ESTABLISHED 33610 86326 120.00 Bytes 16.26 KB Default allow LAN to any rule
tcp redacted:49279 192.168.0.195:50194 17.57.146.55:5223 ESTABLISHED:ESTABLISHED 33610 86326 120.00 Bytes 16.26 KB let out anything from firewall host itself (force gw)
tcp 192.168.0.195:54154 40.113.110.67:443 ESTABLISHED:ESTABLISHED 9098 86247 110.00 Bytes 13.61 KB Default allow LAN to any rule
tcp redacted:7504 192.168.0.195:54154 40.113.110.67:443 ESTABLISHED:ESTABLISHED 9098 86247 110.00 Bytes 13.61 KB let out anything from firewall host itself (force gw)
tcp 192.168.0.195:54139 142.250.186.106:443 ESTABLISHED:ESTABLISHED 9098 86392 649.00 Bytes 58.03 KB Default allow LAN to any rule
tcp redacted:56993 192.168.0.195:54139 142.250.186.106:443 ESTABLISHED:ESTABLISHED 9098 86392 649.00 Bytes 58.03 KB let out anything from firewall host itself (force gw)
tcp 192.168.0.195:54247 91.222.185.232:443 ESTABLISHED:ESTABLISHED 9092 86390 1.29 KB 58.96 KB Default allow LAN to any rule
tcp redacted:10064 192.168.0.195:54247 91.222.185.232:443 ESTABLISHED:ESTABLISHED 9092 86390 1.29 KB 58.96 KB let out anything from firewall host itself (force gw)
tcp 192.168.0.195:54427 157.240.223.22:443 ESTABLISHED:ESTABLISHED 9071 86372 919.00 Bytes 58.19 KB Default allow LAN to any rule
tcp redacted:39451 192.168.0.195:54427 157.240.223.22:443 ESTABLISHED:ESTABLISHED 9071 86372 919.00 Bytes 58.19 KB let out anything from fire


[SerErris]

Not sure how you set up your firewall rules / what you expect to see, but this looks like standard 'clients going through the WAN interface'.

I have not setup any firewallrules myself, it is just the default.

Block everything that is coming from outside (initiate) and pass everything from inside. So plain vainlla.

What I expected to see in the firewall log is, from where (inside) is the package coming and where is it going.

But I think I would need to setup the firewall rule to output a log entry for the LAN rule.

[SerErris]

I think I do now understand the log output.

I do not see the source in the outgoing rule as it is NAT protocol.

After activating loging for the LAN rule, I can see the original LAN package (that has the correct source and destination) and then I do see the repacked new package from Firewall to Internet. Because of NAT the original sender would not make sense as the destination server would not know how to reach my client behind the firewall.

After enabeling that part of the log, the picture is now much clearer.

[h3zwe]

Good to hear.

You might want to redact your personal (public) IP from these logs/screenshots, unless yours is dynamic and changes in the next few hours anyway.

[SerErris]

Thanks for your help and have redacted the logs.

[h3zwe]

(...)
I do not see the source in the outgoing rule as it is NAT protocol.
(...) Because of NAT the original sender would not make sense as the destination server would not know how to reach my client behind the firewall.
(...)

Apologies, missed that on the first read.

Does enabling 'Log packets matched by automatic outbound NAT rules' under 'Firewall: Settings: Advanced' possibly help with that?

[SerErris]

Thanks for the followup, yes it does.

I need to get myself more familar with the way the documentation is written. I was not able to find it.

Thank you so much for your support.