Drop TCP packet from WAN /dlink log - what does it mean?

Posted on 2009-05-13
Last Modified: 2012-05-06
I just noticed these on in my dlink logs.  What does it mean?

Drop TCP packet from WAN      Rule: Default deny
Drop TCP packet from WAN      Rule: Default deny
Drop TCP packet from WAN      Rule: Default deny
Drop TCP packet from WAN      Rule: Default deny
Drop TCP packet from WAN      Rule: Default deny
Drop TCP packet from WAN      Rule: Default deny
Drop TCP packet from WAN      Rule: Default deny
Drop TCP packet from WAN      Rule: Default deny
Drop TCP packet from WAN      Rule: Default deny
Drop TCP packet from WAN      Rule: Default deny

Question by:Tania_Farmer
LVL 16

Accepted Solution

ccomley earned 500 total points
ID: 24372069
What it says - someone "out there" on the internet attempted to make a connection to your system, your firewall has a rule which says not to let these people in - actually it's a default rule, that is, what the firewall does in the absense of any more specific instruction) so it just drops the packet. That is to say, ignores it, rather than either passing it, or responding to it in the negative.

The sending machine will just have "timed out".

It's nothing to worry about.

In fact, as a *general* rule, anything you see in your firewall log is nothing to worry about because it means your firewall has detected and acted upon any problem. The things to worry about are the types of attack your firewall doesn't recognise or can't detect, which it can't block, and, of course, it follows, it can't log either.

There are any NUMBER of reasons why some external computer may be trying to access your network. some legitimate mistakes, keying errors, some attempts to see if you have a "bot" infection or other weakness they can exploit for spamming. It's good that you have a firewall* - but don't lose sleep over all the stuff it logs.

* -  recent experiments showed that if you connect an unprotected Windows XP machine (i.e. with no firewall or software-firewall running) the average time between connecting it and it becoming infected with some bot or trojan is about four minutes...

LVL 12

Expert Comment

ID: 24372082
To add to what ccomley said (and he said a lot and said it well), those messages means somebody from the Internet tried to connect to a computer on your local network. The router blocked the attempt. This is normal and helps a great deal with security. If for some reason you wanted to traffic to go through, you would probably need to setup port forwarding on the router to direct it to the PCs you want, or put a PC in the DMZ to act as a catch-all for incoming attempts except those explicitly blocked.

Expert Comment

ID: 24372098
1. Did you setup some firewall rules on your Dlink?

2. If you can view more details about this transaction to see if it was in ESTABLISHED session, or NEW Session. But if is standard case, this is traffic from your local to Web Server outside (Directly and Via Proxy) of ESTABLISHED session. In this case, you must show more details about these sessions, and also your  firewall rules. If it is unusual case (attacker force their localport to 443 (80,3128) and try to open a new connection to your external IP at port (60xxx) then it will be deny by your Dlink, because I don't think you publish any services in this range port, but in this very unusual case, you can forget about it because Dlink did his job. But It's asume, and I think the standard case is more realitic.

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24373036
I guess this is:
- As you notice all your intranet side ports are  >1024. I means that some client ( made some TCP/IP connection.
- The ports indicate that the requests were made HTTP, HTTPS and HTTP Proxy pages.
- It seems that your firewall is a SPI (stateful packet inspection) firewall in that it :
  - Does not allow any packet to get in initially
  - It allows the response to get  in once an request have been started from inside.
  - From then one it follws the trraffic and when it detects a disconnection, or end to the session it will block the communication that it previously allowed in.
  - It seems to me that, Thoght your firewall decides the communication has been over the web site either did not get the coonection reset TCP/IP packet or having a longer sessin timeout thinks that the connection is still valid and try to send some more info over the channel.
  - Since your firewall decided that the communication is over it drops the packet and logs it.

Furthermore it can not be an external attempt form outside since the address is not a routable address and even if a site decides to send info to that address since these are not routable adresses the packets would not ended-up in your router.

It is clear that the packets are arriving to your registered IP address (Wan side of your router) and your Router knows that the traffic is destined to your internal address from its state tables that it uses for NAT.
Even if it was an hacking attempt then it would only be packet spoofing (Spoofing the TCP/IP headers with the internal addresses.) attempt and which would not work with SPI firewalls.

So I think these log entries are just for you to know that your firewall dropped some communication destined to one of your internal hosts on grounds that Firewall thinks the connection has been terminated. But it can still tell what client the traffic is destined for so it still did not discard the NAT state table but only classified the communication as closed. So you can safely ignore them.

Author Comment

ID: 24373138
Thanks KermE for your reply.

LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24373177
You're welcome. I hope I could be of help. :) Good day.

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question