Results 1 to 6 of 6
  1. #1
    Untanglit
    Join Date
    Jan 2018
    Posts
    29

    Default Reports still show attempts to unopen unforwarded ports

    I have IPS set to only monitor/act after other firewall processing. Yet in the reports on IPS I see a lot of traffic to ports that are not open or not forwarded.

    I thought when "after" is selected, the IPS only works on traffic that has made it through the firewall. So I'm wondering what is going on??

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,729

    Default

    https://wiki.untangle.com/index.php/...n#When_To_Scan

    If Untangle is bridged, all traffic is processed after it arrives at the UVM.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untanglit
    Join Date
    Jan 2018
    Posts
    29

    Default

    Thank you. It isn't bridged. The untangle is the router, with the external interface being the public ip, and the internal being the inside lan.

    I have the external NAT checked, but the internal interface I have NAT Unchecked.

    In the IPS logs there are for instance showings of various ip addresses destined for ports that I do not have open, and they are not blocked by IPS as nothing is blocked. I just thought it was odd. I ran a portscan from an outside computer and it shows all ports are closed. I'm just trying to make sure I have this configured right.

  4. #4
    Untanglit
    Join Date
    Jan 2018
    Posts
    29

    Default

    Looking at it again, the overwhelming majority of the ips traffic reported is to the external interface and a lot of different ports. The only ips reported traffic I see on the internal interface is the internal lan addresses.

  5. #5
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,729

    Default

    Post a screenshot of the events you are interested. Yes, there are many events but they will be zero bytes since NAT will not allow them in. You can't stop an external session to your public IP but the firewall will not respond (zero bytes).

    You can see the same on demo.untangle.com
    http://demo.untangle.com/admin/index...rep=all-events
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untanglit
    Join Date
    Jan 2018
    Posts
    29

    Default

    ipstraffic.png

    I now have all the rules activated and you can see all the blocks. This is "AFTER" other network processing. So one would think all that traffic is making it through "AFTER" other network processing based on the documentation.

    If everything is fine, just tell me and I'll quit worrying.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2