From: Michael Tremer <michael.tremer@ipfire.org>
To: Tim Zakharov <tim.zakharov@sandyindustries.com>
Cc: development@lists.ipfire.org
Subject: Re: How to find green IP that is sending traffic to hostile network
Date: Mon, 26 May 2025 11:39:19 +0100 [thread overview]
Message-ID: <C6EFF28F-DA13-492C-B08E-540D7132F44A@ipfire.org> (raw)
In-Reply-To: <fbab852a-4fcc-4c88-86d4-53bfb74e7ec8@sandyindustries.com>
Hello Tim,
We should not really bring any forum conversations here, but I see that Adolf has asked you to…
> On 23 May 2025, at 16:33, Tim Zakharov <tim.zakharov@sandyindustries.com> wrote:
>
> At Status->Network (other)->Firewall Hits Graph I sometimes see values in the 'To Hostile Networks' line beneath the graph, which tells me a green IP attempted to send traffic to a Hostile Network. In a forum conversation with Adolf Belka, I was guided to Export Firewall Logs for the day the event occurred and search for DROP_HOSTILE. I did, but could only come up with RED traffic, not GREEN, during that time frame. For example:
>> 2:13:11 DROP_HOSTILE IN= OUT=red0 SRC=70.164.192.226 DST=202.61.85.215 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17688 DF PROTO=TCP SPT=57844 DPT=80 WINDOW=42340 RES=0x00 SYN URGP=0
> Where SRC is my RED IP and DST is the hostile network.
This connection most likely went through the proxy then. In that case, we won’t be able to see which host has made that connection from the firewall log.
This is because the client in the local network contacts the proxy using the IP address of the firewall itself and then sends a request to the proxy. The proxy resolves the DNS name the client asked to connect to and will initiate the connection. Since the destination is on the internet it will use its best address which would be the RED IP address. Since they are two separate connections, the firewall does not know that there is a dependency.
If you have logging enabled, the proxy would have logged the request including the destination IP address and the source IP address of the client.
If you are not using the proxy, you will see the internal IP address of the host because NAT comes after the connection being accepted.
> I have seen DROP_HOSTILE IN=green0 traffic before, but it was while browsing through Logs->FWLoggraphs (IP) when I happened to randomly click on a green IP that had attempted a connection with a hostile network.
>
> I would like to find a quick, reliable way to see which GREEN IP attempted to connect to a hostile network. Any ideas?
>
> For reference, here is the forum post I referenced above:
> https://community.ipfire.org/t/how-to-find-green-ip-that-is-sending-traffic-to-hostile-network/14098
>
>
-Michael
prev parent reply other threads:[~2025-05-26 10:39 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-23 15:33 Tim Zakharov
2025-05-24 21:32 ` Bernhard Bitsch
2025-05-26 10:39 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=C6EFF28F-DA13-492C-B08E-540D7132F44A@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
--cc=tim.zakharov@sandyindustries.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox