Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    657

    Default finding the mobile app that triggers a firewall block

    I have a firewall block rule that is regularly being violated by some mobile app. The firewall report tells me what the offending devices are (so it's some app common to two different mobile users), but I'd like to dig a little deeper and know what app is the root cause. Maybe my rule is interfering in legitimate traffic, or maybe I need to remove an offending app.

    I've tried looking through various reports using the relevant server IPs to see if I can dig out the app. Apparently the firewall rule comes first and the trail dead ends there. Is there a way for me to learn which app is behind the firewall rule violation?

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,729

    Default

    I would look in the reports and find the session and investigate the session information.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    657

    Default

    I'm probably misunderstanding and/or doing something wrong, but the closest I get by looking at sessions is that the Application is TCP (ProtoChain /TCP). I don't know how to narrow it down from there.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,288

    Default

    And that's where you run face first into the limitations of mobile OS's. Full OSs have tools on them so you can compare what comes through the network stack to the firewall and narrow things down.

    On a mobile device all you can really do is fire up each app in sequence while watching the firewall logs on Untangle, and hopefully generate the traffic in question.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,729

    Default

    Quote Originally Posted by Sam Graf View Post
    I'm probably misunderstanding and/or doing something wrong, but the closest I get by looking at sessions is that the Application is TCP (ProtoChain /TCP). I don't know how to narrow it down from there.
    Post a screenshot. There should be tons of other information like IPs & ports, etc.

    edit: you could just unblock it and let it go to see what it is. Or just investigate the information you do have. You already know a lot. The IPs, the ports, the type of client that is connecting, etc.
    Last edited by dmorris; 10-11-2018 at 09:23 AM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    657

    Default

    @ sky-night Well crud. I was afraid that might be the case. It could be most anything, so I think the first thing I'll narrow down is if an unattended (but awake) device does or does not fire the rule. Then I'll attack app usage. If I can catch a device someone is using firing the rule I'll see if I can narrow it down that way.

    @ dmorris I can't get all the details in a single shot, so let me see what I can do about that. You're right, I do know several things (the server port it 443) but it all seems pretty generic. Even the firewall rule is just a geolocation block so that tells me little. But let me see what I can do about posting a useful screen shot.
    Last edited by Sam Graf; 10-11-2018 at 09:29 AM.

  7. #7
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    657

    Default

    Small screen shot. If this proves unreadable I'll try two screen shots merged into a bigger one.
    screenshot.png

  8. #8
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    690

    Default

    You are a lot nicer than I am.

    I would wait until someone complained that XYZ app isn't working, then figure it out. I have plenty of real work to do without chasing an app maybe/maybe not working with no one complaining!

    Every hour you spend chasing 'interesting but not pressing' issues, is an hour that something more important is not getting done.

  9. #9
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    657

    Default

    Quote Originally Posted by JasonJoel View Post
    ...something more important is not getting done.
    Being mostly retired means, among other things, often getting to decide what's important.

    But it's true that if nothing's broke, there's nothing to fix. Yet understanding why something makes 40+ attempts at connecting to a server in China in a matter of a couple seconds is interesting to me. It doesn't have to be broke to be interesting from a potential security point of view, yes? And getting to be better at using Untangle in the process is frosting on the cake.
    JasonJoel, donhwyo and Kkorkky like this.

  10. #10
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    690

    Default

    Quote Originally Posted by Sam Graf View Post
    It doesn't have to be broke to be interesting from a potential security point of view, yes?
    I can't argue with that.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2