From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4b4ZxY1Hr8z32pF for ; Sat, 24 May 2025 21:32:33 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4b4ZxT4pzNz2yZf for ; Sat, 24 May 2025 21:32:29 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4b4ZxS6F28z4n for ; Sat, 24 May 2025 21:32:28 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1748122348; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yh3qd5a6GQ68eYtqZrWqzEta8NdFPh6yLsvDj+iSQLk=; b=ALVNwbQHCKg0LeY9hpYXtAcvRIEvD2lVWH61dfS+s948xjew0JNWDzex7HNDz9EaCM1fa3 S2D5lhxYLs+LP/AA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1748122348; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yh3qd5a6GQ68eYtqZrWqzEta8NdFPh6yLsvDj+iSQLk=; b=N7ydEdpx5Zs+8OpQlW3so04SDO/Isc2dXBvK7SMPPMEvJqpYRu/U88BFs6IDKwLpzCnWX2 JOXFwpeTfem/uakCcgztyR41l88sJr6Om1PA5gHtCG8YItHIbFxQHzIc/8FhFrK4DxsqnF R8uvH2nzBR6Y8u8ClEtgPZhenOfm7yH3jMMUoHVq2OeJ96xokkmsicOwIpp0NyM5Uyk/ok frWGi7KdIYqh4kNbewp5Lgopc9m+tED0WFFMG2nx9YfyoTgcf1HSUBsmL18QXi4tOAEZ44 qCe/YhAeu+Dkf0Bxdow1OuW1E/bghTIJwfr7a0kxmqgWOXuXmXy0eSQKJQ3wSQ== Message-ID: Date: Sat, 24 May 2025 23:32:26 +0200 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Subject: Re: How to find green IP that is sending traffic to hostile network To: development@lists.ipfire.org References: Content-Language: en-GB From: Bernhard Bitsch In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Am 23.05.2025 um 17:33 schrieb Tim Zakharov: > At Status->Network (other)->Firewall Hits Graph I sometimes see values > in the 'To Hostile Networks' line beneath the graph, which tells me a > green IP attempted to send traffic to a Hostile Network.  In a forum > conversation with Adolf Belka, I was guided to Export Firewall Logs for > the day the event occurred and search for DROP_HOSTILE.  I did, but > could only come up with RED traffic, not GREEN, during that time frame. > For example: >> 2:13:11 DROP_HOSTILE IN= OUT=red0 SRC=70.164.192.226 DST=202.61.85.215 >> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17688 DF PROTO=TCP SPT=57844 >> DPT=80 WINDOW=42340 RES=0x00 SYN URGP=0 > Where SRC is my RED IP and DST is the hostile network. > As stated in the forum thread, this is an attempt of the proxy to reach the hostile address. This is done by request of a client in the local network for this IP. To find this client, you have to analyse the proxy logs also. There should be an entry "request from to ". BR, Bernhard