How is it that this IP is allowed?

Discussion in 'Other Ghost Security Software' started by tacoz, Oct 18, 2005.

Thread Status:
Not open for further replies.
  1. tacoz

    tacoz Guest

    Given the current config in this order:

    Allow All Protocols Outgoing, Any, Any, Any, Any
    Allow All Protocols Outgoing+Incoming, Any, Any, 127.0.0.1, Any
    Allow All Protocols Outgoing+Incoming, Any, 67-68, 123.45.*.*, 67-68
    Allow UDP Incoming, Any, Any, 123.45.*.*, 53
    Allow All Protocols Outgoing+Incoming, Any, Any, 123.45.*.*, Any
    Block All Protocols Incoming, Any, Any, Any, Any

    (123.45.*.* is invented for this post)

    Yet the TCP Allowed logs show other remote IPs, like 10.n.n.n and 207.n.n.n for instance, allowing their packets to be received locally. How is it that these are coming through when I would've thought that only traffic from the 123 or 127 segments would be allowed?
    Thanks!
     
    tacoz, Oct 18, 2005
    #1
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,280
    Location:
    New England
    Without specific examples from your log showing which traffic you are referring to, my first guess would simply be "reply traffic" from an exchange you started as an outgoing connection... For example, your outgoing "allow all" rule lets you browse to google.com. So, when google pages come back and display on your system, the TCP allowed log will show one of the many google.com IP addresses as being allowed into your system. It isn't a specific inbound allow rule that let's this happen, but rather the return traffic allowed automatically by you starting the connection.

    Likewise, most any traffic exchange started on your PC will show as in the allowed log when the responses come back. Automatic updates for Windows, as well as other products that handle their own updates by starting a connection out to some vendor website, will also show traffic in that log even though you didn't specifically start the connection manually. For us to determine more then this, we'd need specific log examples.
     
    LowWaterMark, Oct 18, 2005
    #2
  3. tacoz

    tacoz Guest

    Ok that makes some sense... thanks!
    I didn't realize that if an allowed went out, that its response would also be 'allowed'. This was port 80 traffic so it was the proxies that I was seeing as allowed even though they weren't listed as such...
     
    tacoz, Oct 19, 2005
    #3
  4. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    One question I have for you tacoz, are you behind a router? Because the first example IP you gave is "10.n.n.n", which is non-routable over the Internet and reserved for LAN use. Without seeing the log entries for this IP it would be hard to venture a guess as to what is going on.
     
    Disciple, Oct 19, 2005
    #4
  5. tacoz

    tacoz Guest

    Most definitely... behind a cascade of routers... part of a global WAN. The 10.* segment is where various proxies reside. These remote port 8080 logs were one of the logs that I was trying to get a handle on originally.
    The gw is doing exactly what I expect it to do. We have excellent edge protection on the WAN. My usage of gw is to block some WAN traffic and control remote IPs. And the stats are useful...
     
    tacoz, Oct 20, 2005
    #5
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...