Page 1 of 2
Why are "allowed" packets being logged?
Posted: Wed Apr 17, 2013 11:05 am
by faris
I've used the "simple" firewall mode to allow all the usual ports, including 80 and 30000.
The resulting firewall rules shown via iptables all look correct.
But I can't figure out why even "allowed" packets are being logged. e.g. this connection from me to the ASL GUI:
Code: Select all
kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=(redacted) SRC=MY-OWN-IP DST=SERVER-IP LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=0 PROTO=TCP SPT=56677 DPT=30000
SEQ=1398141190 ACK=1398141190 WINDOW=0 RES=0x00 RST URGP=0
I can connect to the GUI fine and it works fine.
I also see entries logged for connections to other open ports, e.g. 587, and again the logs show that someone is correctly authenticating, so I don't know why it is being logged.
The relevant part of the IPtables output is:
Code: Select all
Chain ASL-Firewall-INPUT (1 references)
pkts bytes target prot opt in out source destination
93754 39M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
44198 3705K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
82553 11M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
326 16952 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:30000
(snip - lots of other allowed ports)
127 6155 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_INPUT '
128 6207 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
So surely only packets that are going to be dropped should be logged?
Re: Why are "allowed" packets being logged?
Posted: Wed Apr 17, 2013 11:20 am
by mikeshinn
That means the packet was dropped, not allowed. That log rule will only trigger for a dropped rule. Check to make sure you are dropping INVALID packets, as a noisy stack will cause orphan/invalid packets to be transmitted by the client, and will be dropped correctly because they are not associated with any valid connection any longer.
Re: Why are "allowed" packets being logged?
Posted: Wed Apr 17, 2013 11:39 am
by faris
OK. Drop_invalid was set to NO (default)
Now the problem here is that at least some of the IPs that were causing this noise were showing up in the GUI as a level 10 event (as per
http://www.atomicorp.com/forum/viewtopic.php?f=3&t=6724 multiple drops from the same IP) and in theory being shunned.
If I enable drop invalid *and enable logging of invalid*, we'll be in the same situation, right? Those IPs will still be shunned (assuming they were invalid packets).
So the recommended option would be to enable DROP_INVALID but not log them?
And this will work OK?
Re: Why are "allowed" packets being logged?
Posted: Wed Apr 17, 2013 11:52 am
by faris
Default on this installation may have been NO but it says "yes" in the description on the page and there's a big warning about disabling this. So it was just that this installation had been set to NO at some point, or the default from ages ago was NO maybe.
Anyway, setting DROP_INVALID to YES, which is how it should be, does seem to have solved the problem.
Re: Why are "allowed" packets being logged?
Posted: Wed Apr 17, 2013 1:56 pm
by biggles
I get kicked out all of the time by this rule when accessing the GUI. Almost every time I'll try to access GUI from a non whitelisted IP I get blocked. Port 30000 is an allowed port. FW_DROP_INVALID is set to Yes (default)
(Enable/Disable blocking of packets that the state engine can not identify with a stateful session. Default:[yes])
Re: Why are "allowed" packets being logged?
Posted: Wed Apr 17, 2013 2:02 pm
by prupert
Re: Why are "allowed" packets being logged?
Posted: Wed Apr 17, 2013 2:10 pm
by biggles
OK, but why does it shun me when I'm just trying to access the ASL GUI?
edit: and yes, I am using the ASL kernel.
Re: Why are "allowed" packets being logged?
Posted: Wed Apr 17, 2013 2:14 pm
by biggles
faris wrote:Default on this installation may have been NO but it says "yes" in the description on the page and there's a big warning about disabling this. So it was just that this installation had been set to NO at some point, or the default from ages ago was NO maybe.
Anyway, setting DROP_INVALID to YES, which is how it should be, does seem to have solved the problem.
I had exactly the same setup when I started with the firewall. It was defaulted to NO even though the documentation said default YES.
Re: Why are "allowed" packets being logged?
Posted: Wed Apr 17, 2013 2:17 pm
by biggles
Also, the Wiki seems a bit outdated (or the GUI). GUI says default for FW_BAD_PACKETS is NO and wiki says YES. Same with FW_PORTSCAN.
Which is the recommended value?
Re: Why are "allowed" packets being logged?
Posted: Wed Apr 17, 2013 5:06 pm
by faris
biggles wrote:OK, but why does it shun me when I'm just trying to access the ASL GUI?
edit: and yes, I am using the ASL kernel.
Is logging disabled for FW_DROP_INVALID? It should be disabled.
Or to put it another way, in /var/log/messages, when you login to the ASL GUI, do you see your IP in a kernel message related to the firewall? If so, which chain is it appearing in?
That chain, whatever it is, is the problem. ossec will pick up multiple drops from the same IP and shun you.
In my case, because I was NOT dropping INVALID, my IP (and those of customers) was appearing in the DROP_ASL_INPUT chain logging (which I want enabled so I had it enabled) and we were being shunned.
As soon as I enabled BLOCK_INVALID, these entries stopped and all was well. But in this case I needed to NOT log DROP_INVALID, as otherwise these IPs will be shunned again as they would appear in the logs.
Sorry if I'm explaining something you already know. I didn't know any of this this morning. But now I do
Faris.
Re: Why are "allowed" packets being logged?
Posted: Thu Apr 18, 2013 4:12 am
by biggles
Thanks a lot for your reply, faris! Very much appreciated!
FW_DROP_INVALID=yes
FW_DROP_INVALID_LOG=no
I'm seeing quite a lot of
Code: Select all
Apr 16 12:07:48 server7 kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=(redacted) SRC=MyIP DST=serverIP LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=37088 DF PROTO=TCP SPT=62996 DPT=30000 SEQ=4005276762 ACK=0 WINDOW=0 RES=0x00 RST URGP=0
Re: Why are "allowed" packets being logged?
Posted: Thu Apr 18, 2013 4:19 am
by biggles
iptables -L Chain ASL-Firewall-INPUT
Code: Select all
Chain ASL-Firewall-INPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:submission
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:10050
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:snmp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:30000
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ntp
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level info tcp-sequence tcp-options ip-options prefix `DROP_ASL_INPUT '
DROP all -- anywhere anywhere
Re: Why are "allowed" packets being logged?
Posted: Thu Apr 18, 2013 4:30 pm
by faris
Well I'm afraid I don't understand it.
I'll hand back to Scott/Mike
Re: Why are "allowed" packets being logged?
Posted: Thu Apr 18, 2013 5:55 pm
by mikeshinn
Please post the output of all the running rules:
iptables -L -n
Re: Why are "allowed" packets being logged?
Posted: Fri Apr 19, 2013 6:24 am
by biggles
sure!
Code: Select all
Chain INPUT (policy ACCEPT)
target prot opt source destination
ASL-ACTIVE-RESPONSE all -- 85.165.223.148 0.0.0.0/0
ASL-ACTIVE-RESPONSE all -- 66.150.223.24 0.0.0.0/0
ASL-GEO-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
ASL-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
ASL-BADPACKETS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp option=128
ASL-BADPACKETS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp option=64
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x2B
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x1A
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x0A
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x0D
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x1C
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x03
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x29/0x29
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x22/0x22
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:30000 state NEW
ASL-TORTIXD-ACL tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:30000 state NEW
ASL-Firewall-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ASL-PLESK-UPDATES tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5224 state NEW
ASL-UPDATES tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
ASL-SPAMASSASSIN-UPDATES all -- 0.0.0.0/0 0.0.0.0/0
ASL-Firewall-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-ACTIVE-RESPONSE (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-BADPACKETS (2 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `ASL_BADPACKET '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-BLACKLIST (1 references)
target prot opt source destination
ASL-BLACKLIST-DROP-LOG all -- 219.240.36.108 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 213.89.132.77 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 204.12.241.132 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 200.111.168.170 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 198.27.76.89 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 198.24.149.216 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 198.24.149.213 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 190.103.198.3 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 190.2.58.88 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 174.131.25.137 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 173.212.192.0/18 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 142.0.40.0/25 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 96.9.173.62 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 96.9.173.48 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 96.9.173.14 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 96.9.149.0/24 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 89.178.129.100 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 89.148.25.0/24 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 89.111.65.0/24 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 85.95.238.0/24 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 66.197.227.170 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 64.191.99.74 0.0.0.0/0
ASL-BLACKLIST-DROP-LOG all -- 61.147.110.68 0.0.0.0/0
Chain ASL-BLACKLIST-DROP-LOG (23 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 2 LOG flags 7 level 6 prefix `ASL_BLACKLIST_BLOCK '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-Firewall-INPUT (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10050
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:161
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:30000
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_INPUT '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-Firewall-OUTPUT (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:123
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10051
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 15 level 6 prefix `ASL_OUTPUT '
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain ASL-GEO-BLACKLIST (1 references)
target prot opt source destination
ASL-GEO-BLACKLIST-DROP-LOG all -- 95.84.64.0/18 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 94.79.192.0/18 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 94.76.0.0/18 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 93.95.24.0/21 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 93.188.192.0/21 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 91.185.207.224/29 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 89.31.192.0/21 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 89.190.128.0/19 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 89.148.0.0/18 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 88.202.109.32/28 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 88.201.0.0/17 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 87.252.96.0/22 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 87.252.126.0/24 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 87.252.105.208/28 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 87.252.104.208/28 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 87.237.192.0/21 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 87.236.48.0/21 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 87.236.136.0/21 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 85.158.128.0/21 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 84.255.128.0/18 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 84.235.96.0/21 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 83.136.56.0/21 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 82.206.128.232/29 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 82.194.32.0/19 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 81.22.16.0/20 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 80.95.208.0/20 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 80.88.240.0/20 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 80.241.144.0/20 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 80.231.26.0/23 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 80.231.194.32/27 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 79.99.88.0/21 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 79.171.240.0/21 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 79.142.176.0/20 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 78.110.64.0/20 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 77.92.160.0/19 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 77.69.128.0/17 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 62.209.0.0/19 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 5.225.29.0/24 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 5.224.29.0/24 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 5.1.42.0/24 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 5.132.29.0/24 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 5.10.116.60/30 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 5.10.114.156 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 46.42.64.0/18 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 46.36.197.131 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 46.235.208.0/21 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 46.184.128.0/17 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 46.136.91.0/24 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 46.136.167.0/24 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 46.136.15.0/24 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 37.223.20.0/24 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 37.222.29.0/24 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 37.131.0.0/17 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 31.47.95.80/29 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 31.47.95.64/29 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 31.47.95.48/29 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 31.47.95.0/27 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 31.47.91.128/25 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 31.47.90.0/24 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 31.47.89.0/27 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 31.47.88.64/26 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 31.47.88.32/28 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 217.17.224.0/19 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 212.63.176.56 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 212.63.170.212/30 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 195.82.138.0/23 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 195.219.28.0/27 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 195.112.160.252/30 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 194.117.122.63 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 193.188.96.0/19 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 193.188.12.0/23 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 188.137.128.0/17 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 188.116.192.0/18 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 185.7.8.0/22 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 185.3.120.0/22 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 185.23.124.0/22 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 178.79.255.0/24 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 178.237.48.0/20 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 178.170.5.0/26 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 178.132.32.0/20 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 176.241.176.0/21 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 171.33.240.0/21 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 159.253.137.152/29 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 159.253.136.252 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 159.253.134.254 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 109.63.0.0/17 0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG all -- 109.161.128.0/17 0.0.0.0/0
Chain ASL-GEO-BLACKLIST-DROP-LOG (87 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 2 LOG flags 7 level 6 prefix `ASL_GEO_BLOCK '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-PLESK-UPDATES (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 77.245.23.80 tcp dpt:5224 state NEW
Chain ASL-PORTSCAN (21 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_PORTSCAN '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-SPAMASSASSIN-UPDATES (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:24441 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:24441 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2703 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6277 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:6277 state NEW
Chain ASL-TORTIXD-ACL (1 references)
target prot opt source destination
Chain ASL-UPDATES (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 80.82.124.228 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 69.20.6.166 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 74.208.195.110 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 208.68.233.251 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 74.208.112.216 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 74.208.166.51 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 198.71.51.132 tcp dpt:443 state NEW