Incoming Source Port 80

jskain · #1 (**permalink**) 02-09-2010, 01:46 PM

Hi:

In the packet filter live log I see numerous "default drop" coming from various IP's with a source port (not destination) of tcp 80. I did some googling, and it seems that is some web pages trying to do things like load balancing, etc. Not sure if that's correct or not.

But - anyone else getting a lot of those default drops?

Second - is there a way to creat a packet filter based on a source port rather than a destination port? Or, do a forward for a certain source port and send it to a black hole?

Thanks !!

wingman · #2 (**permalink**) 02-09-2010, 01:49 PM

What are you trying to achieve? (normally source ports are random.)

jskain · #3 (**permalink**) 02-09-2010, 04:43 PM

First, I'm trying to make sure this isn't some sort of attack.

Assuming it's not (it comes from multiple IP's), I just don't want it to be cluttering up the logs.

Yes, usually you would see a random source port and a destination of 80 for HTTP traffic. This is the opposite. Always a source port of 80 and random destination ports.

The destination IP is the external IP of the firewall (shown as X.X.X.X below).

11:40:52 Default DROP TCP 65.125.72.43 : 80
→ X.X.X.X: 46414
[RST] len=40 ttl=59 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:1a:8c:17:1c:01

11:40:52 Default DROP TCP 208.43.57.101 : 80
→ X.X.X.X: 39128
[ACK] len=52 ttl=50 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:1a:8c:17:1c:01

11:40:52 Default DROP TCP 208.43.57.101 : 80
→ X.X.X.X: 39128
[ACK] len=52 ttl=50 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:1a:8c:17:1c:01

11:40:53 Default DROP TCP 208.43.57.101 : 80
→ X.X.X.X: 39128
[ACK] len=52 ttl=50 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:1a:8c:17:1c:01

11:40:54 Default DROP TCP 208.43.57.101 : 80
→ X.X.X.X: 39128
[ACK] len=52 ttl=50 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:1a:8c:17:1c:01

11:40:55 Default DROP TCP 64.94.107.14 : 80
→ X.X.X.X: 44912
[RST] len=40 ttl=51 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:1a:8c:17:1c:01

JimmyM · #4 (**permalink**) 02-09-2010, 09:35 PM

Yes, you should be able to create a packet filter rule to silently drop inbound traffic from port 80.

Create a new Service destination call it R_HTTP (Reverse HTTP)
and set the Source Port as 80 and the destination as 1:65535.
The normal HTTP definition is Source 1:65535, Destination: 80

Create a packet filter rule:
Source: Any
Service: R_HTTP
Destination: External Address
Action: Drop
Log Traffic: Unchecked

I'm not sure hot it will treat normal HTTP traffic, but try it out. ASG normally just drops this traffic as a part of IPTABLES since it isn't a part of reply to an outbound request.

Someone check my math here.

jskain · #5 (**permalink**) 02-10-2010, 12:30 AM

Thanks.

Duh - right under my nose.

Created it like you said. Put it at the bottom of the packet filter stack.
No more source port 80 swamping the logs.
Tried outgoing http, and seems to be working fine, and incoming http to the one allowed server is also working.

Thanks!!

JimmyM · #6 (**permalink**) 02-10-2010, 01:33 AM

Ah, Very good. Glad to help.