Dear Sirs,
I’ve had reinstalled my Web Service on ORANGE recently and activated GeoIP on the corresponding config page in such a way that just my home country (AT) is allowed; whereas the RED Input Rule was generally allowed, configured as DNAT from RED to ORANGE.
After finishing the Web Service installation I concentrated on the firewall logs and found DNAT’s with some ridiculous FQDN’s:
| IP | Country | Type | Remark | Hit HTTP Service |
|---|---|---|---|---|
| 83.136.38.138 | AT | DNAT | nic.at | yes |
| 178.189.133.206 | AT | DNAT | A1 Telekom Austria | yes |
| 156.96.128.162 | US | DNAT | or-repercussion.hipfuller.com | |
| 162.243.132.150 | US | DNAT | zg-0626-324.stretchoid.com | |
| 217.21.193.74 | NL | DNAT | scanning-the-internet-for-good.dataprovider.com | |
| 220.133.113.67 | TW | DNAT | 220-133-113-67.HINET-IP.hinet.net | |
| 27.65.94.212 | CN | DNAT | (localhost) |
As you may recognize, just some of those IP’s are related to AT, the allowed country of origin. In addition, there are a lot off HINET-IP adresses, which may or may not be related to Synology DSM. However, this device is neither part of the DMZ nor should there exist any open ports which may have been reached from WAN.
Could you please give me a hint why these DNAT entries appear in the logs?
Thank you!