From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <development+bounces-492-archive=lists.ipfire.org@lists.ipfire.org> Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4b4ZxY1Hr8z32pF for <archive@lists.ipfire.org>; Sat, 24 May 2025 21:32:33 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4b4ZxT4pzNz2yZf for <development@lists.ipfire.org>; Sat, 24 May 2025 21:32:29 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4b4ZxS6F28z4n for <development@lists.ipfire.org>; Sat, 24 May 2025 21:32:28 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1748122348; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yh3qd5a6GQ68eYtqZrWqzEta8NdFPh6yLsvDj+iSQLk=; b=ALVNwbQHCKg0LeY9hpYXtAcvRIEvD2lVWH61dfS+s948xjew0JNWDzex7HNDz9EaCM1fa3 S2D5lhxYLs+LP/AA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1748122348; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yh3qd5a6GQ68eYtqZrWqzEta8NdFPh6yLsvDj+iSQLk=; b=N7ydEdpx5Zs+8OpQlW3so04SDO/Isc2dXBvK7SMPPMEvJqpYRu/U88BFs6IDKwLpzCnWX2 JOXFwpeTfem/uakCcgztyR41l88sJr6Om1PA5gHtCG8YItHIbFxQHzIc/8FhFrK4DxsqnF R8uvH2nzBR6Y8u8ClEtgPZhenOfm7yH3jMMUoHVq2OeJ96xokkmsicOwIpp0NyM5Uyk/ok frWGi7KdIYqh4kNbewp5Lgopc9m+tED0WFFMG2nx9YfyoTgcf1HSUBsmL18QXi4tOAEZ44 qCe/YhAeu+Dkf0Bxdow1OuW1E/bghTIJwfr7a0kxmqgWOXuXmXy0eSQKJQ3wSQ== Message-ID: <b45dd64a-0187-4df0-a64d-a87af3c942e2@ipfire.org> Date: Sat, 24 May 2025 23:32:26 +0200 Precedence: list List-Id: <development.lists.ipfire.org> List-Subscribe: <https://lists.ipfire.org/>, <mailto:development+subscribe@lists.ipfire.org?subject=subscribe> List-Unsubscribe: <https://lists.ipfire.org/>, <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development+help@lists.ipfire.org?subject=help> Sender: <development@lists.ipfire.org> Mail-Followup-To: <development@lists.ipfire.org> MIME-Version: 1.0 Subject: Re: How to find green IP that is sending traffic to hostile network To: development@lists.ipfire.org References: <fbab852a-4fcc-4c88-86d4-53bfb74e7ec8@sandyindustries.com> Content-Language: en-GB From: Bernhard Bitsch <bbitsch@ipfire.org> In-Reply-To: <fbab852a-4fcc-4c88-86d4-53bfb74e7ec8@sandyindustries.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Am 23.05.2025 um 17:33 schrieb Tim Zakharov: > At Status->Network (other)->Firewall Hits Graph I sometimes see values > in the 'To Hostile Networks' line beneath the graph, which tells me a > green IP attempted to send traffic to a Hostile Network. In a forum > conversation with Adolf Belka, I was guided to Export Firewall Logs for > the day the event occurred and search for DROP_HOSTILE. I did, but > could only come up with RED traffic, not GREEN, during that time frame. > For example: >> 2:13:11 DROP_HOSTILE IN= OUT=red0 SRC=70.164.192.226 DST=202.61.85.215 >> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17688 DF PROTO=TCP SPT=57844 >> DPT=80 WINDOW=42340 RES=0x00 SYN URGP=0 > Where SRC is my RED IP and DST is the hostile network. > As stated in the forum thread, this is an attempt of the proxy to reach the hostile address. This is done by request of a client in the local network for this IP. To find this client, you have to analyse the proxy logs also. There should be an entry "request from <client IP> to <hostile IP>". BR, Bernhard