[Webinar] Learn how to a build a cloud-first strategyRegister Now


Drop TCP packet from WAN /dlink log - what does it mean?

Posted on 2009-05-13
Medium Priority
Last Modified: 2012-05-06
I just noticed these on in my dlink logs.  What does it mean?

Drop TCP packet from WAN      Rule: Default deny
Drop TCP packet from WAN      Rule: Default deny
Drop TCP packet from WAN      Rule: Default deny
Drop TCP packet from WAN      Rule: Default deny
Drop TCP packet from WAN      Rule: Default deny
Drop TCP packet from WAN      Rule: Default deny
Drop TCP packet from WAN      Rule: Default deny
Drop TCP packet from WAN      Rule: Default deny
Drop TCP packet from WAN      Rule: Default deny
Drop TCP packet from WAN      Rule: Default deny

Question by:Tania_Farmer
LVL 17

Accepted Solution

ccomley earned 2000 total points
ID: 24372069
What it says - someone "out there" on the internet attempted to make a connection to your system, your firewall has a rule which says not to let these people in - actually it's a default rule, that is, what the firewall does in the absense of any more specific instruction) so it just drops the packet. That is to say, ignores it, rather than either passing it, or responding to it in the negative.

The sending machine will just have "timed out".

It's nothing to worry about.

In fact, as a *general* rule, anything you see in your firewall log is nothing to worry about because it means your firewall has detected and acted upon any problem. The things to worry about are the types of attack your firewall doesn't recognise or can't detect, which it can't block, and, of course, it follows, it can't log either.

There are any NUMBER of reasons why some external computer may be trying to access your network. some legitimate mistakes, keying errors, some attempts to see if you have a "bot" infection or other weakness they can exploit for spamming. It's good that you have a firewall* - but don't lose sleep over all the stuff it logs.

* -  recent experiments showed that if you connect an unprotected Windows XP machine (i.e. with no firewall or software-firewall running) the average time between connecting it and it becoming infected with some bot or trojan is about four minutes...

LVL 12

Expert Comment

ID: 24372082
To add to what ccomley said (and he said a lot and said it well), those messages means somebody from the Internet tried to connect to a computer on your local network. The router blocked the attempt. This is normal and helps a great deal with security. If for some reason you wanted to traffic to go through, you would probably need to setup port forwarding on the router to direct it to the PCs you want, or put a PC in the DMZ to act as a catch-all for incoming attempts except those explicitly blocked.

Expert Comment

ID: 24372098
1. Did you setup some firewall rules on your Dlink?

2. If you can view more details about this transaction to see if it was in ESTABLISHED session, or NEW Session. But if is standard case, this is traffic from your local to Web Server outside (Directly and Via Proxy) of ESTABLISHED session. In this case, you must show more details about these sessions, and also your  firewall rules. If it is unusual case (attacker force their localport to 443 (80,3128) and try to open a new connection to your external IP at port (60xxx) then it will be deny by your Dlink, because I don't think you publish any services in this range port, but in this very unusual case, you can forget about it because Dlink did his job. But It's asume, and I think the standard case is more realitic.

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24373036
I guess this is:
- As you notice all your intranet side ports are  >1024. I means that some client ( made some TCP/IP connection.
- The ports indicate that the requests were made HTTP, HTTPS and HTTP Proxy pages.
- It seems that your firewall is a SPI (stateful packet inspection) firewall in that it :
  - Does not allow any packet to get in initially
  - It allows the response to get  in once an request have been started from inside.
  - From then one it follws the trraffic and when it detects a disconnection, or end to the session it will block the communication that it previously allowed in.
  - It seems to me that, Thoght your firewall decides the communication has been over the web site either did not get the coonection reset TCP/IP packet or having a longer sessin timeout thinks that the connection is still valid and try to send some more info over the channel.
  - Since your firewall decided that the communication is over it drops the packet and logs it.

Furthermore it can not be an external attempt form outside since the address is not a routable address and even if a site decides to send info to that address since these are not routable adresses the packets would not ended-up in your router.

It is clear that the packets are arriving to your registered IP address (Wan side of your router) and your Router knows that the traffic is destined to your internal address from its state tables that it uses for NAT.
Even if it was an hacking attempt then it would only be packet spoofing (Spoofing the TCP/IP headers with the internal addresses.) attempt and which would not work with SPI firewalls.

So I think these log entries are just for you to know that your firewall dropped some communication destined to one of your internal hosts on grounds that Firewall thinks the connection has been terminated. But it can still tell what client the traffic is destined for so it still did not discard the NAT state table but only classified the communication as closed. So you can safely ignore them.

Author Comment

ID: 24373138
Thanks KermE for your reply.

LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24373177
You're welcome. I hope I could be of help. :) Good day.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

865 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question