How is it that this IP is allowed?

Discussion in 'Other Ghost Security Software' started by tacoz, Oct 18, 2005.

Thread Status:
Not open for further replies.
  1. tacoz

    tacoz Guest

    Given the current config in this order:

    Allow All Protocols Outgoing, Any, Any, Any, Any
    Allow All Protocols Outgoing+Incoming, Any, Any,, Any
    Allow All Protocols Outgoing+Incoming, Any, 67-68, 123.45.*.*, 67-68
    Allow UDP Incoming, Any, Any, 123.45.*.*, 53
    Allow All Protocols Outgoing+Incoming, Any, Any, 123.45.*.*, Any
    Block All Protocols Incoming, Any, Any, Any, Any

    (123.45.*.* is invented for this post)

    Yet the TCP Allowed logs show other remote IPs, like 10.n.n.n and 207.n.n.n for instance, allowing their packets to be received locally. How is it that these are coming through when I would've thought that only traffic from the 123 or 127 segments would be allowed?
  2. LowWaterMark

    LowWaterMark Administrator

    Aug 10, 2002
    New England
    Without specific examples from your log showing which traffic you are referring to, my first guess would simply be "reply traffic" from an exchange you started as an outgoing connection... For example, your outgoing "allow all" rule lets you browse to So, when google pages come back and display on your system, the TCP allowed log will show one of the many IP addresses as being allowed into your system. It isn't a specific inbound allow rule that let's this happen, but rather the return traffic allowed automatically by you starting the connection.

    Likewise, most any traffic exchange started on your PC will show as in the allowed log when the responses come back. Automatic updates for Windows, as well as other products that handle their own updates by starting a connection out to some vendor website, will also show traffic in that log even though you didn't specifically start the connection manually. For us to determine more then this, we'd need specific log examples.
  3. tacoz

    tacoz Guest

    Ok that makes some sense... thanks!
    I didn't realize that if an allowed went out, that its response would also be 'allowed'. This was port 80 traffic so it was the proxies that I was seeing as allowed even though they weren't listed as such...
  4. Disciple

    Disciple Registered Member

    Nov 14, 2002
    Ellijay, Georgia - USA
    One question I have for you tacoz, are you behind a router? Because the first example IP you gave is "10.n.n.n", which is non-routable over the Internet and reserved for LAN use. Without seeing the log entries for this IP it would be hard to venture a guess as to what is going on.
  5. tacoz

    tacoz Guest

    Most definitely... behind a cascade of routers... part of a global WAN. The 10.* segment is where various proxies reside. These remote port 8080 logs were one of the logs that I was trying to get a handle on originally.
    The gw is doing exactly what I expect it to do. We have excellent edge protection on the WAN. My usage of gw is to block some WAN traffic and control remote IPs. And the stats are useful...
Thread Status:
Not open for further replies.