From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4b3q1m6GY9z337B for ; Fri, 23 May 2025 15:33:32 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4b3q1j3ThTz30Hh for ; Fri, 23 May 2025 15:33:29 +0000 (UTC) Received: from 011.lax.mailroute.net (011.lax.mailroute.net [199.89.1.14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mailroute.net", Issuer "R10" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4b3q1f0skgztZ for ; Fri, 23 May 2025 15:33:26 +0000 (UTC) Authentication-Results: mail01.ipfire.org; dkim=pass header.d=sandyindustries.com header.s=mr01 header.b=MUc0+XWm; spf=pass (mail01.ipfire.org: domain of tim.zakharov@sandyindustries.com designates 199.89.1.14 as permitted sender) smtp.mailfrom=tim.zakharov@sandyindustries.com; dmarc=pass (policy=quarantine) header.from=sandyindustries.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1748014408; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding:dkim-signature:autocrypt:autocrypt; bh=R4AFz3S/NUxHaD4TEHMIo6ZeXzQG4uEof+uEbPqkGP8=; b=EB14rMdLu/WpbzhwLIaQlpas2SYITnvP9L0KssUC3J0VPraTFuvuSArc+WOvtIeZW8bVdi T1L2HXtoLhuUA37fZLh8r39g5XMq/vCEwfHfCPSfYI8vDskIyL78bJDtnzakvY4JKn4kV0 xZYsGXoNYT5Ds6ZBct7IqgG7Ir3w/Bc4Nw9vFMeaUbeWLdSNTUfS3i65r/59AiuUcWaZ6L dTZmHxj0gquyByx5Bw612KTNqfHrJGi+mve+IgIbRZh0wKoQBSYyd54rb+YY6+g6YoDMmf q7nDzoAG12otvGw6IZhCkNbUW9sqx9txsIzSqhyPdQjPkIMQgSFU0ajC502I0g== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=sandyindustries.com header.s=mr01 header.b=MUc0+XWm; spf=pass (mail01.ipfire.org: domain of tim.zakharov@sandyindustries.com designates 199.89.1.14 as permitted sender) smtp.mailfrom=tim.zakharov@sandyindustries.com; dmarc=pass (policy=quarantine) header.from=sandyindustries.com ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1748014408; a=rsa-sha256; cv=none; b=QWJtrosOxfqsG03k9hOjIpVrfPgsMWX9y65pL7YsKY8EJN+yQxBS+bkDFdaEN4UW07eyrw w57l7CMa3bzshv5U4+4wZvqhls+8lp4zMa2g3eAXzJSOk9fohijExTVPxcdci+24rnWWhd U6WSXL2UrYTzgRKsu3dWskiyyakRlBdppD+xJm67fFGRB5fs0ES2fmyHkkDG+HnLqlVCTe A+gAccmNdxDlmO8xEWKswXtiuKtHyuK90ZA4RX1J4+Pj5FSEIVtg4ld9igRnd9EDXAtz8H 1UUaHNOPfPZ68clADPeDVqp8isSv/RjZo/mFZsVnIxplfj0MM1hxX0WiivtmPQ== Received: from localhost (localhost [127.0.0.1]) by 011.lax.mailroute.net (Postfix) with ESMTP id 4b3q1c4N5Qz60RJ for ; Fri, 23 May 2025 15:33:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= sandyindustries.com; h=content-transfer-encoding:content-type :content-type:subject:subject:from:from:content-language :user-agent:mime-version:date:date:message-id:received:received :received; s=mr01; t=1748014403; x=1750606404; bh=R4AFz3S/NUxHaD 4TEHMIo6ZeXzQG4uEof+uEbPqkGP8=; b=MUc0+XWmAvBLz+P29RF4pZ9SMEW5Y9 JDiH13bgoBVn4wlm3rv/3hWyiGmNx1Z6YkEhTId7oS2BNgV//zoQQyYDfPycSgyO yQEI+Qpk/A0Rz4GXyHI9hiwTDdnxYpUNipf1c5MHv4lQOHvQutLlf0I3dMkpbv37 5lfP86HctIrf/rMSDmxEK//Yu4Y3OSBLZC/bJrWzWL1mUAY1JJLvfMnz3cbl6T/Z qmC/SB49vGkQA5H5tsPvsa7u+RO7uPZC/L+TvJWayz/pXq4Slx6QUH/3Y+7o50yy 55SgHPnCqrrHx0h1h/TGcSNePpcm1O/H5/rn12yWDMV6ri0yiq0pYK3g== X-Virus-Scanned: by MailRoute Received: from 011.lax.mailroute.net ([127.0.0.1]) by localhost (011.lax [127.0.0.1]) (mroute_mailscanner, port 10026) with LMTP id BXbXTzdbnbel for ; Fri, 23 May 2025 15:33:23 +0000 (UTC) Received: from 5906249.mail.sandyindustries.com (5906249.mail.sandyindustries.com [162.240.72.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by 011.lax.mailroute.net (Postfix) with ESMTPS id 4b3q1b5ZjXz67qs for ; Fri, 23 May 2025 15:33:23 +0000 (UTC) Received: from wsip-70-164-192-226.ks.ks.cox.net ([70.164.192.226]:63866 helo=[10.1.2.97]) by 5906249.mail.sandyindustries.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.1) (envelope-from ) id 1uIUOc-000000007Ay-2QLP for development@lists.ipfire.org; Fri, 23 May 2025 10:33:18 -0500 Message-ID: Date: Fri, 23 May 2025 10:33:21 -0500 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: development@lists.ipfire.org From: Tim Zakharov Subject: How to find green IP that is sending traffic to hostile network Autocrypt: addr=tim.zakharov@sandyindustries.com; keydata= xsDNBGej2dgBDACpuilpRKibdPUTDHsV4n1T+tNMsPxfKLQat3Qg1MttPIc5IEV/kc0Oydol U1xVpKCaIeaVTCnPJq7bN2kXXjkTjI+EXXqddHPl4hEsuxcxLa9GekNyktlQsJRsKUrzsF1t DVpJ08RYD+vjAIH9zAmAkEzBOHLrOspiNBmGlSneOL7AQquD1gccqb8raTICYBn3WGHXZHwB h6+SCD424ehua2iELfbNwdcfXGE29VvePhZK827WqdKaLe7TXbfwwWtuTW3Pe9COjVg1Bc6x qfyWYi12dk+cJaF6t7MvSrGFS7cK+1ELuN+6CHAP2vbIWI39mM4lSqam7kQLEguTURIZFDeB C8a3peqU6yP//rNRYWOlqBvBghnQTuTaT8yuqGow9vX2M4xaz8C0S8XM4RoCucxL9PDJVdMx VTwuIZAA2YZP2HqYqw2h6KviQZ5K6G43CD7DBKT8Z49hVabYU/oOgaPADEBvNr3GUfCjHZxu VIlqfUVI9E8Khxj7TJLGTg8AEQEAAc0vVGltIFpha2hhcm92IDx0aW0uemFraGFyb3ZAc2Fu ZHlpbmR1c3RyaWVzLmNvbT7CwQ0EEwEIADcWIQQkM/tJN2s+IQ6T5JiAgfnvQd41qwUCZ6PZ 2QUJBaOagAIbAwQLCQgHBRUICQoLBRYCAwEAAAoJEICB+e9B3jWr9FUMAJiAYB/H5TVZ+eji 5PAHksM9BQmPWZ0n2Oep1QXk+9C/sZe3uIh/7aTQKo4H/Ag3xINr9Xrw0ZaR87ZeNv1pY3Jn lHF9OIWR6ciLGs3cCevmuxF4z52l6ibaICSDgErCnGV4qFrzcrjJyHhyLx7qkgeMe/SN4AyU MPXBFRlEpiHRyaLyaG6+2oJv3pLVZiyMNk5urPH1QXnCIxc5NVgIod7aGIK+1YyAN6NNYNT/ i9+R+mcPL5AltJ9EX0ny3PBWyUiQ1+e37roMBWPyWRTURxm/BAMrhhbUQt5KpHQ2ahepIm+d a+7GowsNNYkyolEu8u1Bm10V7aS8LfjYMoy+R7luKdemSzwKYp1sOnG4i9L6XJZQ0hdeTfYq m2iMAop5oQbKN+mIwWB14Jnj7hK5Zo8ffHzMsKTiAbJANWpd/QEPy9ukdNZuHnkQ/LmZ1z+Q 5wnqilnGDgvFd12o1JPl7T/tqYkhYrSm9LHgmAAgHsmYns/zx9w3b9sxzxm9XBddkc7AzQRn o9nZAQwAvLYdDBhFQ1RwnUwS8U1niyWWIfb4gb2h1ozhTWqZPJqY9xnyBJuGcmGudr41d0Jn VRlRepTcddqVkIEC6lQKRqYwwb2m0NIykI+xY6tCXoArzR5qISuBwB2vEZHzb8qT0aGpO6Y7 TqIxyS6cNfgGVTq7rsPKc61dySPoJgmgYJYw0W1qCZazMqcqy9nI1HM80OtAPGA5X/pFUqs2 ooIJ78+P/vtnEcmnvmEy19BrRtw5RQ6wakgXbwbPZNDQBqZJAAg06+C+QkTOQg1ZWTduk+67 phxikpMySf195sGOLKVNKe/QSwMcoX3fPsqBowGXd1HtT3I+9WnWp3GpfVkbO5qsQkQWV/9d N2tRK1J8Sqc7/iHm5TZ36Fbc+nDbodn7X+DmcUKqxvRxp+2EouA1nwum/WBHEWLX0/AG6A99 6dwU0T6KzgmMCx3d+EhLKGDBazSTTT7pdtU+5nHnR1ZkemaNZbcD5NA4QNnGnnQ2g9bKKVRL nrUi4Se+XjBHN9FJABEBAAHCwPwEGAEIACYWIQQkM/tJN2s+IQ6T5JiAgfnvQd41qwUCZ6PZ 2QUJBaOagAIbDAAKCRCAgfnvQd41qxRNC/9KaoRjR0yIfmOjK/ETMi1MQe/Jc79c/XtVXqXa 7a3YR7IzQqoM1ubZp1An59NsWaS3icgwIMy9d5ONOM4adZ3x/Xl3cOngJ7DBmalBrzHgW2kU YxWIaWKtm6yzWYJDpj9PQP5y+sqGB8OB1gKCsL4lbHtTSTLVwA3bbuw9F6CfYUN7Uy+X8S+s WzOgscTCS4OKE8YX+vEcVGr+oR+c6Eh9z+/CX/byDLalLidPjL7DagdUZ8RgjYx+rF4I7R+J nzM51yKH2yweXKGqClP0ZKIMPRkaJVRlVaCBmaYaqRIhz5bbZuBypy4Ii53/BTradbUMdK69 xo42d2kPHqsA2SIncJRIZ5DRwbGcWHyfbr4fZRxXttPG2AS17vb7O48xlcmL8OuhmTeTUbDS xYTxp3EH8+m2cKlEB6uP1Nf+ZdSUM5cavyaAMbXk+kigrAB5r4o1O4pTD15YmWHHpnBtl9qD pNDNvRtPZjWeZZ9yTkrOhEZxjdKMq8/nOUpVfBLXUnU= Content-Type: text/plain; charset=UTF-8; format=flowed X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - 5906249.mail.sandyindustries.com X-AntiAbuse: Original Domain - lists.ipfire.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - sandyindustries.com X-Get-Message-Sender-Via: 5906249.mail.sandyindustries.com: authenticated_id: tim.zakharov@sandyindustries.com X-Authenticated-Sender: 5906249.mail.sandyindustries.com: tim.zakharov@sandyindustries.com X-Source: X-Source-Args: X-Source-Dir: Content-Transfer-Encoding: quoted-printable X-Rspamd-Action: no action X-Rspamd-Server: mail01.haj.ipfire.org X-Rspamd-Queue-Id: 4b3q1f0skgztZ X-Spamd-Result: default: False [-1.90 / 11.00]; NEURAL_HAM(-0.78)[-0.777]; DMARC_POLICY_ALLOW(-0.50)[sandyindustries.com,quarantine]; R_DKIM_ALLOW(-0.20)[sandyindustries.com:s=mr01]; R_SPF_ALLOW(-0.20)[+ip4:199.89.0.0/21]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[199.89.1.14:from]; MX_GOOD(-0.01)[]; IP_REPUTATION_HAM(-0.01)[asn: 8100(0.00), country: US(-0.01), ip: 199.89.1.14(0.00)]; BAYES_HAM(-0.00)[27.45%]; RCVD_TLS_LAST(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; FROM_HAS_DN(0.00)[]; HAS_X_AS(0.00)[tim.zakharov@sandyindustries.com]; HAS_X_GMSV(0.00)[tim.zakharov@sandyindustries.com]; RCPT_COUNT_ONE(0.00)[1]; RECEIVED_HELO_LOCALHOST(0.00)[]; ARC_NA(0.00)[]; FUZZY_RATELIMITED(0.00)[rspamd.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; HAS_X_SOURCE(0.00)[]; DKIM_TRACE(0.00)[sandyindustries.com:+]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; DKIM_REPUTATION(0.00)[0]; HAS_X_ANTIABUSE(0.00)[]; ASN(0.00)[asn:8100, ipnet:199.89.1.0/24, country:US]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1] At Status->Network (other)->Firewall Hits Graph I sometimes see values=20 in the 'To Hostile Networks' line beneath the graph, which tells me a=20 green IP attempted to send traffic to a Hostile Network.=C2=A0 In a forum= =20 conversation with Adolf Belka, I was guided to Export Firewall Logs for=20 the day the event occurred and search for DROP_HOSTILE.=C2=A0 I did, but=20 could only come up with RED traffic, not GREEN, during that time frame.=C2= =A0=20 For example: > 2:13:11 DROP_HOSTILE IN=3D OUT=3Dred0 SRC=3D70.164.192.226 DST=3D202.61= .85.215=20 > LEN=3D60 TOS=3D0x00 PREC=3D0x00 TTL=3D64 ID=3D17688 DF PROTO=3DTCP SPT=3D= 57844=20 > DPT=3D80 WINDOW=3D42340 RES=3D0x00 SYN URGP=3D0 Where SRC is my RED IP and DST is the hostile network. I have seen DROP_HOSTILE IN=3Dgreen0 traffic before, but it was while=20 browsing through Logs->FWLoggraphs (IP) when I happened to randomly=20 click on a green IP that had attempted a connection with a hostile networ= k. I would like to find a quick, reliable way to see which GREEN IP=20 attempted to connect to a hostile network.=C2=A0 Any ideas? For reference, here is the forum post I referenced above: https://community.ipfire.org/t/how-to-find-green-ip-that-is-sending-traff= ic-to-hostile-network/14098