Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Firewall logs with plenty of blocked TCP:A, TCP-RA, TCP-S connections
« previous
next »
Print
Pages: [
1
]
Author
Topic: Firewall logs with plenty of blocked TCP:A, TCP-RA, TCP-S connections (Read 11219 times)
myksto
Full Member
Posts: 106
Karma: 6
Firewall logs with plenty of blocked TCP:A, TCP-RA, TCP-S connections
«
on:
December 18, 2017, 03:25:32 pm »
Hello.
I've a lot of blocked connections like those in object in the LAN side.
In my LAN side I setup rules to permit access to internet through standard port (80, 443, 8080, 110, 443, 25, ecc.) and infact my pcs on LAN have no problem at all.
I saw no blocked page, no errors on the clients side, all site we surf on are accessible and all mail services are accessible too.
I actually have no connection problem so I'm wondering why my firewall logs are full of blocked connections and how I can avoid this.
Cheers, Michele.
Logged
bartjsmit
Hero Member
Posts: 2018
Karma: 194
Re: Firewall logs with plenty of blocked TCP:A, TCP-RA, TCP-S connections
«
Reply #1 on:
December 18, 2017, 03:27:28 pm »
Are these from known source IP addresses? You may be seeing port scanning activity against your firewall.
Bart...
Logged
myksto
Full Member
Posts: 106
Karma: 6
Re: Firewall logs with plenty of blocked TCP:A, TCP-RA, TCP-S connections
«
Reply #2 on:
December 18, 2017, 03:39:43 pm »
Hi and thanks for reply.
Yes they all come form known source ip addresses (192.168.59.190-191-192).
I have only 3 pc on the LAN and all of them generates those blocked connections.
I'm in an ambient test and those pc are of a fresh install. They have nothing but a browser (firefox) and a mail client (thunderbird) on board.
How can they do port scan against the firewall?
Is there any test I can do?
Logged
bartjsmit
Hero Member
Posts: 2018
Karma: 194
Re: Firewall logs with plenty of blocked TCP:A, TCP-RA, TCP-S connections
«
Reply #3 on:
December 18, 2017, 03:43:03 pm »
That's good; no rogue hosts on your network :-)
You can capture both sides of the traffic with tcpdump, Wireshark and the likes on the workstation and directly on OPNsense.
Analysis of the traces in Wireshark will tell you what's going on.
Bart...
Logged
myksto
Full Member
Posts: 106
Karma: 6
Re: Firewall logs with plenty of blocked TCP:A, TCP-RA, TCP-S connections
«
Reply #4 on:
December 18, 2017, 04:22:08 pm »
Wow, wireshark is a very powerful tool to use but very hard to learn too!
Anyway I'll give it a try.
In the meantime googleing I found an old post on the pfsense forum where some guys talk of some blocked packets. The story is very similar to mine and they say those're normal packet that can not be thrown out of the logs. This is the post
https://forum.pfsense.org/index.php?topic=39960.0
What do you think about it?
Thanks again.
Logged
myksto
Full Member
Posts: 106
Karma: 6
Re: Firewall logs with plenty of blocked TCP:A, TCP-RA, TCP-S connections
«
Reply #5 on:
December 19, 2017, 09:24:39 am »
Well, after further analisys i found my "culprit".
In my computers I have free Adobe Reader DC 2018 installed. Well, Adobe setup probably installs a service called "AGSService.exe" (Adobe Genuine Software Integrity Service) which makes hundreds of connections to their servers (http port) every time computer starts or restarts and every 10-15 minutes. It really makes no sense. If Adobe likes to check their licenses well they could do it once a day, once a week, every once in a while and not.
I tested it with tcpdump and every 10-15 minutes it's a cascade of connections from those computers to Adobe's servers. I tried to stop AGSServices and all TCP-A, TCP-RA and TCP-S entries in the firewall log stop.
At the end of the analisys I guess I can consider those logs not harmful but very annoying so I decided to stop Adobe service. Adobe Reader works normally so my problem is clearly solved.
Thanks for suggestions.
Cheers, Michele.
Logged
bartjsmit
Hero Member
Posts: 2018
Karma: 194
Re: Firewall logs with plenty of blocked TCP:A, TCP-RA, TCP-S connections
«
Reply #6 on:
December 19, 2017, 03:58:28 pm »
Hats off; good bit of detective work
Bart...
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Firewall logs with plenty of blocked TCP:A, TCP-RA, TCP-S connections