Router firewall reporting blocked outgoing ICMP packets from Obi ip

<< < (2/3) > >>

GPz1100:
Rick,

I made a mistake in setting up the logging. It appears pings were being intercepted before reaching the firewall rules so nothing got recorded.  I figured out the mistake and am now actively seeing any pings on the obi vlan (using a pc on the same subnet).

I'll let this run over night and see what it records in the am.  My apologies for the wrong results above.

PS.  I started using sophos utm for my firewall/router about 3 months ago.  I'm still figuring out all its little nuances.

Edit:  I think port 10000 is for obitalk.  I don't use it, so no need to let the obi access to it.

Edit2:  Results above were not 'wrong' per say, just inconclusive as any pings out were permitted but not logged.

drgeoff:
Quote from: GPz1100 on November 15, 2017, 10:23:35 pm

I think port 10000 is for obitalk. 

Correct.

GPz1100:
See attached.  Sheet one sorted by destination IP, sheet 2 by time.  Sample size isn't the largest.  I think i'll leave the log run for a week, see what else pops up.

No pings but several unique ip's.  Ports 5222, 5060..5080, and 443 relate to gv/xmpp and call centric.  The occasional port 19xxx is an actual phone call's RTP port. 10.10.3.102 and .103 are the two obi's. One has 2 SPx's configured, the other 3.

108.177.120.125
172.217.1.45
172.217.8.173
204.11.192.161
204.11.192.171
204.11.192.37
74.125.202.125
74.125.39.50

These all come back to google or callcentric.

Rick441:
I'm still getting frequent blocked incoming TCP and UDP packets to port 5060 from various ip's.  Mostly, but not entirely foreign ip's.  Many are the same or similar to those I mentioned in my original post, i.e., non-Google/Callcentric ip's listed in the blocked-outgoing-ICMP-messages I was getting before I disabled the port forwarding I never should have set.  I don't know if this is anything new, or whether it was occurring even before I got the Obi, as I wasn't looking at the logs before then, and I don't have history going back further.

GPz1100:
Looks like more of the same.  No icmp (protocol 1) entries.

Now, with respect to inbound attempts on ports 5060..5080, there's hundreds of those.  Just external traffic trying to find an open sip server.  Those are all blocked.  In fact, for inbound, anything not us based is blocked by a global rule. I wouldn't worry too much about it.

Navigation

[0] Message Index

[#] Next page

[*] Previous page