From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4b5XM55JRWz32vw for ; Mon, 26 May 2025 10:39:29 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4b5XM21hvSz2xng for ; Mon, 26 May 2025 10:39:26 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4b5XM15Nr0z31T; Mon, 26 May 2025 10:39:25 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1748255965; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=t7R8zPbmzVCVDoGZl4MU3tvjI8IRn00A+eaM3sm+ugE=; b=iUpQ/8T7a+oBd/EYt0+dVLT52RVQ43/yFNgIOmluRArz3eAOkM3iPSnV58DYMMYi5zYihZ 4K8HP2iErGu0jIBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1748255965; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=t7R8zPbmzVCVDoGZl4MU3tvjI8IRn00A+eaM3sm+ugE=; b=nFOeD/UwoKNvRuf3J4fqWrMhxExni//9Rl6o8IRBSdUq7NFd8pF6VcWaQVMSQDWd0e/t1J ST8fpurAFm39wgN0H8bM1JTQX7toyY/YmYevWlwVsP54n+Ztzs7d+nJVbmpy9K9BwEEnYS wWjAEa7rdd8g8r+Cs3yEU2sRd4cX8SF/xdiC4+QzA95zMntC3K2X+6TnaSxmB9j5ztKTfX yyA0oiVH7yWAO3u5E6wk0BUVrQKkEi7vAA/0Qg6xD6EZHDxIO0E8SxykY3elWjqGq6Az0t vudFcssohcIUdbr8Bk1yP8fh7+Hp01JhTYf0QBk7DU0/EWz+/HIwODCfc3GKIA== Content-Type: text/plain; charset=utf-8 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: Mime-Version: 1.0 Subject: Re: How to find green IP that is sending traffic to hostile network From: Michael Tremer In-Reply-To: Date: Mon, 26 May 2025 11:39:19 +0100 Cc: development@lists.ipfire.org Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Tim Zakharov Hello Tim, We should not really bring any forum conversations here, but I see that = Adolf has asked you to=E2=80=A6 > On 23 May 2025, at 16:33, Tim Zakharov = wrote: >=20 > At Status->Network (other)->Firewall Hits Graph I sometimes see values = in the 'To Hostile Networks' line beneath the graph, which tells me a = green IP attempted to send traffic to a Hostile Network. In a forum = conversation with Adolf Belka, I was guided to Export Firewall Logs for = the day the event occurred and search for DROP_HOSTILE. I did, but = could only come up with RED traffic, not GREEN, during that time frame. = For example: >> 2:13:11 DROP_HOSTILE IN=3D OUT=3Dred0 SRC=3D70.164.192.226 = DST=3D202.61.85.215 LEN=3D60 TOS=3D0x00 PREC=3D0x00 TTL=3D64 ID=3D17688 = DF PROTO=3DTCP SPT=3D57844 DPT=3D80 WINDOW=3D42340 RES=3D0x00 SYN URGP=3D0= > Where SRC is my RED IP and DST is the hostile network. This connection most likely went through the proxy then. In that case, = we won=E2=80=99t be able to see which host has made that connection from = the firewall log. This is because the client in the local network contacts the proxy using = the IP address of the firewall itself and then sends a request to the = proxy. The proxy resolves the DNS name the client asked to connect to = and will initiate the connection. Since the destination is on the = internet it will use its best address which would be the RED IP address. = Since they are two separate connections, the firewall does not know that = there is a dependency. If you have logging enabled, the proxy would have logged the request = including the destination IP address and the source IP address of the = client. If you are not using the proxy, you will see the internal IP address of = the host because NAT comes after the connection being accepted. > I have seen DROP_HOSTILE IN=3Dgreen0 traffic before, but it was while = browsing through Logs->FWLoggraphs (IP) when I happened to randomly = click on a green IP that had attempted a connection with a hostile = network. >=20 > I would like to find a quick, reliable way to see which GREEN IP = attempted to connect to a hostile network. Any ideas? >=20 > For reference, here is the forum post I referenced above: > = https://community.ipfire.org/t/how-to-find-green-ip-that-is-sending-traffi= c-to-hostile-network/14098 >=20 >=20 -Michael