* How to find green IP that is sending traffic to hostile network
@ 2025-05-23 15:33 Tim Zakharov
2025-05-24 21:32 ` Bernhard Bitsch
2025-05-26 10:39 ` Michael Tremer
0 siblings, 2 replies; 3+ messages in thread
From: Tim Zakharov @ 2025-05-23 15:33 UTC (permalink / raw)
To: development
At Status->Network (other)->Firewall Hits Graph I sometimes see values
in the 'To Hostile Networks' line beneath the graph, which tells me a
green IP attempted to send traffic to a Hostile Network. In a forum
conversation with Adolf Belka, I was guided to Export Firewall Logs for
the day the event occurred and search for DROP_HOSTILE. I did, but
could only come up with RED traffic, not GREEN, during that time frame.
For example:
> 2:13:11 DROP_HOSTILE IN= OUT=red0 SRC=70.164.192.226 DST=202.61.85.215
> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17688 DF PROTO=TCP SPT=57844
> DPT=80 WINDOW=42340 RES=0x00 SYN URGP=0
Where SRC is my RED IP and DST is the hostile network.
I have seen DROP_HOSTILE IN=green0 traffic before, but it was while
browsing through Logs->FWLoggraphs (IP) when I happened to randomly
click on a green IP that had attempted a connection with a hostile network.
I would like to find a quick, reliable way to see which GREEN IP
attempted to connect to a hostile network. Any ideas?
For reference, here is the forum post I referenced above:
https://community.ipfire.org/t/how-to-find-green-ip-that-is-sending-traffic-to-hostile-network/14098
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: How to find green IP that is sending traffic to hostile network
2025-05-23 15:33 How to find green IP that is sending traffic to hostile network Tim Zakharov
@ 2025-05-24 21:32 ` Bernhard Bitsch
2025-05-26 10:39 ` Michael Tremer
1 sibling, 0 replies; 3+ messages in thread
From: Bernhard Bitsch @ 2025-05-24 21:32 UTC (permalink / raw)
To: development
Am 23.05.2025 um 17:33 schrieb Tim Zakharov:
> At Status->Network (other)->Firewall Hits Graph I sometimes see values
> in the 'To Hostile Networks' line beneath the graph, which tells me a
> green IP attempted to send traffic to a Hostile Network. In a forum
> conversation with Adolf Belka, I was guided to Export Firewall Logs for
> the day the event occurred and search for DROP_HOSTILE. I did, but
> could only come up with RED traffic, not GREEN, during that time frame.
> For example:
>> 2:13:11 DROP_HOSTILE IN= OUT=red0 SRC=70.164.192.226 DST=202.61.85.215
>> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17688 DF PROTO=TCP SPT=57844
>> DPT=80 WINDOW=42340 RES=0x00 SYN URGP=0
> Where SRC is my RED IP and DST is the hostile network.
>
As stated in the forum thread, this is an attempt of the proxy to reach
the hostile address. This is done by request of a client in the local
network for this IP.
To find this client, you have to analyse the proxy logs also. There
should be an entry "request from <client IP> to <hostile IP>".
BR,
Bernhard
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: How to find green IP that is sending traffic to hostile network
2025-05-23 15:33 How to find green IP that is sending traffic to hostile network Tim Zakharov
2025-05-24 21:32 ` Bernhard Bitsch
@ 2025-05-26 10:39 ` Michael Tremer
1 sibling, 0 replies; 3+ messages in thread
From: Michael Tremer @ 2025-05-26 10:39 UTC (permalink / raw)
To: Tim Zakharov; +Cc: development
Hello Tim,
We should not really bring any forum conversations here, but I see that Adolf has asked you to…
> On 23 May 2025, at 16:33, Tim Zakharov <tim.zakharov@sandyindustries.com> wrote:
>
> At Status->Network (other)->Firewall Hits Graph I sometimes see values in the 'To Hostile Networks' line beneath the graph, which tells me a green IP attempted to send traffic to a Hostile Network. In a forum conversation with Adolf Belka, I was guided to Export Firewall Logs for the day the event occurred and search for DROP_HOSTILE. I did, but could only come up with RED traffic, not GREEN, during that time frame. For example:
>> 2:13:11 DROP_HOSTILE IN= OUT=red0 SRC=70.164.192.226 DST=202.61.85.215 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17688 DF PROTO=TCP SPT=57844 DPT=80 WINDOW=42340 RES=0x00 SYN URGP=0
> Where SRC is my RED IP and DST is the hostile network.
This connection most likely went through the proxy then. In that case, we won’t be able to see which host has made that connection from the firewall log.
This is because the client in the local network contacts the proxy using the IP address of the firewall itself and then sends a request to the proxy. The proxy resolves the DNS name the client asked to connect to and will initiate the connection. Since the destination is on the internet it will use its best address which would be the RED IP address. Since they are two separate connections, the firewall does not know that there is a dependency.
If you have logging enabled, the proxy would have logged the request including the destination IP address and the source IP address of the client.
If you are not using the proxy, you will see the internal IP address of the host because NAT comes after the connection being accepted.
> I have seen DROP_HOSTILE IN=green0 traffic before, but it was while browsing through Logs->FWLoggraphs (IP) when I happened to randomly click on a green IP that had attempted a connection with a hostile network.
>
> I would like to find a quick, reliable way to see which GREEN IP attempted to connect to a hostile network. Any ideas?
>
> For reference, here is the forum post I referenced above:
> https://community.ipfire.org/t/how-to-find-green-ip-that-is-sending-traffic-to-hostile-network/14098
>
>
-Michael
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-05-26 10:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-05-23 15:33 How to find green IP that is sending traffic to hostile network Tim Zakharov
2025-05-24 21:32 ` Bernhard Bitsch
2025-05-26 10:39 ` Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox