Results 1 to 8 of 8
  1. #1
    Newbie
    Join Date
    Apr 2019
    Posts
    4

    Default Firewall Log- Can you explain these entries?

    I have the external port 23389 forwarded to an internal machine's default 3389 RDP port. I run RDPguard on the internal machine, which blocks abusers IPs after so-many invalid password attempts. Anyway, I get tons of Russian blocks generated by RDPGuard, so I thought maybe I'd just block all Russian traffic at the firewall. I made my rule, and it appears to work. BUT- I am getting a lot of entries in my firewall log that show ports other than 23389 being blocked with a destination of 3389. Here is a sample of the log, and a pic of the port forward. Did I do something wrong? I know the traffic being blocked is a good thing, but why should it even recognize an attempt to send traffic from any port other than 23389 to 3389?

    untangle.jpg

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,346

    Default

    You're misunderstanding the report. Client port isn't what the client connected to, it's what the client connected FROM. 3389 is the translated destination, the firewall module engages traffic after NAT (dNAT to be specific, or port forwarding as you know it) has been performed. This report is expected behavior, the nonstandard exterior port is irrelevant in this circumstance.

    So the client is picking a >1024 random port to connect to 23389 NAT is translating that to your interior IP at 3389, and the firewall is logging the client as it should, and the real server post translation. That is how all of this really works, that's what you're supposed to see!
    Last edited by sky-knight; 04-08-2019 at 10:34 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,816

    Default

    I would also block UDP.

    If you look to the right in the event report, it shows another rule blocking also.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Newbie
    Join Date
    Apr 2019
    Posts
    4

    Default

    Thanks for your answer. I'm still a little foggy though. So in the case of the entry:

    Client 185.156.177.49 Client Port 61563 Server 10.10.50.60 Server Port 3389

    What is it telling me? 185.156.177.49 attempted to connect to 3389 via the 23389 port-forward rule and was blocked? And the 61563 is irrelevant?

  5. #5
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,816

    Default

    The client port is the port the remote device is opening to go to 3389 on your network. Client port will almost always be different as they are random. Nothing to do with port forward.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Newbie
    Join Date
    Apr 2019
    Posts
    4

    Default

    Ok, one more question- you brought up the "Rule ID" column. All of my firewall rules start with a 1 (10004 etc). What does the 20004 refer to?

  7. #7
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,816

    Default

    Each Policy which has a Firewall will have a different series of IDs. So 2xxxx rules are a firewall rule on a different Policy.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Newbie
    Join Date
    Apr 2019
    Posts
    4

    Default

    Ahh, makes sense. I found it. Thanks again guys for your help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2