I have noticed in one of my firewalls that normally gets a ton of DROP_NEWNOTSYN due to it being a network that phones connect to, that on or around August 12th the number of hits on this rule have dropped from ~1000 per day to less than 5 per day. Did something change in how this rule is triggered?
Yes, I verified that I did not disable logging of NEWNOTSYN. Besides, the fact that I am still getting 1 to 5 hits per day tells me the rule is still in effect. Also, on weekends when no one is working, I have always gotten zero hits for this.
I checked two other IPFires I maintain. One has these logs disabled. The other one has no phones connected to it, so consistently ~0 log alerts.
More detail, up until Friday, August 9 I was getting anywhere from hundreds to thousands of hits per day of DROP_NEWNOTSYN. On Saturday, August 9, it went down to 74 hits, which is typical of a non working day. Sunday had zero hits. Unusual, but possible for a Sunday with no one at the office. Then on Monday and Tuesday, again zero hits. Wednesday August 14 we got 3 hits. And from then until today, we are on a trend of 1-5 hits per day during workdays and 0-1 hits on Saturday and Sunday.
I’m happy to have fewer firewall hits, but this is out of the blue and stands out as quite unusual. Has anyone else noticed anything similar in their IPFire?
DROP_NEWNOTSYN can be due to a variety of reasons, including a broken client, or a system that does not properly reestablish a network connection when switching networks (e. g., a smartphone connecting to your local WiFi network, while keeping a connection is has established via the cellular network alive). It may well be that such a client or incident was responsible for the sudden surge in DROP_NEWNOTSYN logs.
On a general note, especially if your IPFire machine does not expose any ports to the internet (or whatever untrusted network is connected to your RED interface), firewalling outgoing network traffic is much more interesting. For additional information on this topic, please see: www.ipfire.org - Firewall configuration recommendations for IPFire users
Peter, I have noticed on three different IPFire systems in different environments that the amount of newnotsyn hits in the firewall have stayed very low since around August 12th. I can pull up numbers from my logs if you’d like more detail. It seems as if the detection scheme for the rule was modified so that less noise appears in the logs. I can’t say that with certainty, but that is the appearance based on how drastically the hits dropped. :shrug:
this is the iptables rule that causes the DROP_NEWNOTSYN hits (if logging is enabled). It has not been changed in a long time, and there is no way for IPFire (or its developers) to dynamically update this rule.
So whatever has changed, it most likely was something on the internet (perhaps a scanner that spawned up and then ceased operation), rather than at IPFire.
Thanks, @pmueller . The hits are closely correlated with mobile phones on the network. More mobile phone use=more newnotsyn hits. I wonder if there was some update to a popular mobile phone around that time.
