I was checking the logs this morning and saw that telnet (port 23) packets in to the IPFire firewall are being logged – packets from the likes of China, Poland, South Africa … I’m in the USA.
I’m wondering if the packets are not being allowed, that they are being matched by a policy BLOCK rule and logged without an indication of whether they have been ALLOWed or BLOCKed.
Is there an easy way to see if the packets have been ALLOWed or BLOCKed?
If the request has not been allowed then in the Firewall Logs page the chain will be shown as DROP_INPUT.
If you have a port forward rule in place then you would get two chains.
The first would be DNAT followed by FORWARDFW.
What chain is being shown for the packets you are seeing?
Chain: INPUTFW
The DROP_INPUT is the default firewall drop rule.
INPUTFW means that a Custom Rule has been created which could be accepted or rejected.
Go to the WUI menu - Firewall - iptables.
Then select INPUTFW in the drop down box in the top section labelled iptables and then press update.
If you show a screenshot of that it will show all the rules related to INPUTFW and if they are Accept or Reject or Drop and if logging is enabled.
Here is what mine looks like.
With this you can see that I have a rule that allows NIS traffic for my UPS system between Orange and Green. That rule has an Accept target and there is no Logging enabled.
There is also a rule for port 25 (smtp) traffic going in or out which has a Reject target and has logging enabled.
You should find in your INPUTFW chain the information for what rule is related to port 23 and if it is Accept, Drop or Reject. Logging must be enable otherwise you would not see the traffic in your logs.
The rule related to that target will be in your Firewall Rules table somewhere.
Adolf,
Thank you for the detailed and clear instructions. I believe I found the offending custom rule.
Time will tell…
