Why are "allowed" packets being logged?

faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Why are "allowed" packets being logged?

Unread post by faris »

I've used the "simple" firewall mode to allow all the usual ports, including 80 and 30000.

The resulting firewall rules shown via iptables all look correct.

But I can't figure out why even "allowed" packets are being logged. e.g. this connection from me to the ASL GUI:

Code: Select all

kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=(redacted) SRC=MY-OWN-IP DST=SERVER-IP LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=0 PROTO=TCP SPT=56677 DPT=30000
SEQ=1398141190 ACK=1398141190 WINDOW=0 RES=0x00 RST URGP=0
I can connect to the GUI fine and it works fine.

I also see entries logged for connections to other open ports, e.g. 587, and again the logs show that someone is correctly authenticating, so I don't know why it is being logged.

The relevant part of the IPtables output is:

Code: Select all

Chain ASL-Firewall-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
93754   39M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
44198 3705K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0
82553   11M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  326 16952 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:30000
(snip - lots of other allowed ports)
  127  6155 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_INPUT '
  128  6207 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
So surely only packets that are going to be dropped should be logged?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Why are "allowed" packets being logged?

Unread post by mikeshinn »

That means the packet was dropped, not allowed. That log rule will only trigger for a dropped rule. Check to make sure you are dropping INVALID packets, as a noisy stack will cause orphan/invalid packets to be transmitted by the client, and will be dropped correctly because they are not associated with any valid connection any longer.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Why are "allowed" packets being logged?

Unread post by faris »

OK. Drop_invalid was set to NO (default)

Now the problem here is that at least some of the IPs that were causing this noise were showing up in the GUI as a level 10 event (as per http://www.atomicorp.com/forum/viewtopic.php?f=3&t=6724 multiple drops from the same IP) and in theory being shunned.

If I enable drop invalid *and enable logging of invalid*, we'll be in the same situation, right? Those IPs will still be shunned (assuming they were invalid packets).

So the recommended option would be to enable DROP_INVALID but not log them?

And this will work OK?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Why are "allowed" packets being logged?

Unread post by faris »

Default on this installation may have been NO but it says "yes" in the description on the page and there's a big warning about disabling this. So it was just that this installation had been set to NO at some point, or the default from ages ago was NO maybe.

Anyway, setting DROP_INVALID to YES, which is how it should be, does seem to have solved the problem.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: Why are "allowed" packets being logged?

Unread post by biggles »

I get kicked out all of the time by this rule when accessing the GUI. Almost every time I'll try to access GUI from a non whitelisted IP I get blocked. Port 30000 is an allowed port. FW_DROP_INVALID is set to Yes (default)
(Enable/Disable blocking of packets that the state engine can not identify with a stateful session. Default:[yes])
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Why are "allowed" packets being logged?

Unread post by prupert »

Lemonbit Internet Dedicated Server Management
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: Why are "allowed" packets being logged?

Unread post by biggles »

OK, but why does it shun me when I'm just trying to access the ASL GUI?

edit: and yes, I am using the ASL kernel.
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: Why are "allowed" packets being logged?

Unread post by biggles »

faris wrote:Default on this installation may have been NO but it says "yes" in the description on the page and there's a big warning about disabling this. So it was just that this installation had been set to NO at some point, or the default from ages ago was NO maybe.

Anyway, setting DROP_INVALID to YES, which is how it should be, does seem to have solved the problem.
I had exactly the same setup when I started with the firewall. It was defaulted to NO even though the documentation said default YES.
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: Why are "allowed" packets being logged?

Unread post by biggles »

Also, the Wiki seems a bit outdated (or the GUI). GUI says default for FW_BAD_PACKETS is NO and wiki says YES. Same with FW_PORTSCAN.

Which is the recommended value?
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Why are "allowed" packets being logged?

Unread post by faris »

biggles wrote:OK, but why does it shun me when I'm just trying to access the ASL GUI?

edit: and yes, I am using the ASL kernel.
Is logging disabled for FW_DROP_INVALID? It should be disabled.

Or to put it another way, in /var/log/messages, when you login to the ASL GUI, do you see your IP in a kernel message related to the firewall? If so, which chain is it appearing in?

That chain, whatever it is, is the problem. ossec will pick up multiple drops from the same IP and shun you.

In my case, because I was NOT dropping INVALID, my IP (and those of customers) was appearing in the DROP_ASL_INPUT chain logging (which I want enabled so I had it enabled) and we were being shunned.

As soon as I enabled BLOCK_INVALID, these entries stopped and all was well. But in this case I needed to NOT log DROP_INVALID, as otherwise these IPs will be shunned again as they would appear in the logs.

Sorry if I'm explaining something you already know. I didn't know any of this this morning. But now I do :-)

Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: Why are "allowed" packets being logged?

Unread post by biggles »

Thanks a lot for your reply, faris! Very much appreciated!

FW_DROP_INVALID=yes
FW_DROP_INVALID_LOG=no

I'm seeing quite a lot of

Code: Select all

Apr 16 12:07:48 server7 kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=(redacted) SRC=MyIP DST=serverIP LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=37088 DF PROTO=TCP SPT=62996 DPT=30000 SEQ=4005276762 ACK=0 WINDOW=0 RES=0x00 RST URGP=0
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: Why are "allowed" packets being logged?

Unread post by biggles »

iptables -L Chain ASL-Firewall-INPUT

Code: Select all

Chain ASL-Firewall-INPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtps
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:pcsync-https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:10050
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:snmp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:30000
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ntp
LOG        all  --  anywhere             anywhere            limit: avg 1/sec burst 5 LOG level info tcp-sequence tcp-options ip-options prefix `DROP_ASL_INPUT '
DROP       all  --  anywhere             anywhere
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Why are "allowed" packets being logged?

Unread post by faris »

Well I'm afraid I don't understand it.

I'll hand back to Scott/Mike :-)
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Why are "allowed" packets being logged?

Unread post by mikeshinn »

Please post the output of all the running rules:

iptables -L -n
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: Why are "allowed" packets being logged?

Unread post by biggles »

sure!

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ASL-ACTIVE-RESPONSE  all  --  85.165.223.148       0.0.0.0/0
ASL-ACTIVE-RESPONSE  all  --  66.150.223.24        0.0.0.0/0
ASL-GEO-BLACKLIST  all  --  0.0.0.0/0            0.0.0.0/0
ASL-BLACKLIST  all  --  0.0.0.0/0            0.0.0.0/0
ASL-BADPACKETS  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp option=128
ASL-BADPACKETS  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp option=64
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x37
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x2B
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x1A
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x0A
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x0D
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x1C
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x03
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x01
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x29/0x29
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x22/0x22
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x11/0x01
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x18/0x08
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x05/0x05
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:30000 state NEW
ASL-TORTIXD-ACL  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:30000 state NEW
ASL-Firewall-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
ASL-PLESK-UPDATES  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5224 state NEW
ASL-UPDATES  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 state NEW
ASL-SPAMASSASSIN-UPDATES  all  --  0.0.0.0/0            0.0.0.0/0
ASL-Firewall-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-ACTIVE-RESPONSE (2 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-BADPACKETS (2 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `ASL_BADPACKET '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-BLACKLIST (1 references)
target     prot opt source               destination
ASL-BLACKLIST-DROP-LOG  all  --  219.240.36.108       0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  213.89.132.77        0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  204.12.241.132       0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  200.111.168.170      0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  198.27.76.89         0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  198.24.149.216       0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  198.24.149.213       0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  190.103.198.3        0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  190.2.58.88          0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  174.131.25.137       0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  173.212.192.0/18     0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  142.0.40.0/25        0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  96.9.173.62          0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  96.9.173.48          0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  96.9.173.14          0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  96.9.149.0/24        0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  89.178.129.100       0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  89.148.25.0/24       0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  89.111.65.0/24       0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  85.95.238.0/24       0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  66.197.227.170       0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  64.191.99.74         0.0.0.0/0
ASL-BLACKLIST-DROP-LOG  all  --  61.147.110.68        0.0.0.0/0

Chain ASL-BLACKLIST-DROP-LOG (23 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 2 LOG flags 7 level 6 prefix `ASL_BLACKLIST_BLOCK '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-Firewall-INPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:20
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:465
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:10050
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:161
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:30000
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:123
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_INPUT '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-Firewall-OUTPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:465
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:123
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:10051
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:123
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 15 level 6 prefix `ASL_OUTPUT '
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain ASL-GEO-BLACKLIST (1 references)
target     prot opt source               destination
ASL-GEO-BLACKLIST-DROP-LOG  all  --  95.84.64.0/18        0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  94.79.192.0/18       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  94.76.0.0/18         0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  93.95.24.0/21        0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  93.188.192.0/21      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  91.185.207.224/29    0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  89.31.192.0/21       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  89.190.128.0/19      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  89.148.0.0/18        0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  88.202.109.32/28     0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  88.201.0.0/17        0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  87.252.96.0/22       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  87.252.126.0/24      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  87.252.105.208/28    0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  87.252.104.208/28    0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  87.237.192.0/21      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  87.236.48.0/21       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  87.236.136.0/21      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  85.158.128.0/21      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  84.255.128.0/18      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  84.235.96.0/21       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  83.136.56.0/21       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  82.206.128.232/29    0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  82.194.32.0/19       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  81.22.16.0/20        0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  80.95.208.0/20       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  80.88.240.0/20       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  80.241.144.0/20      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  80.231.26.0/23       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  80.231.194.32/27     0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  79.99.88.0/21        0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  79.171.240.0/21      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  79.142.176.0/20      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  78.110.64.0/20       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  77.92.160.0/19       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  77.69.128.0/17       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  62.209.0.0/19        0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  5.225.29.0/24        0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  5.224.29.0/24        0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  5.1.42.0/24          0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  5.132.29.0/24        0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  5.10.116.60/30       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  5.10.114.156         0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  46.42.64.0/18        0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  46.36.197.131        0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  46.235.208.0/21      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  46.184.128.0/17      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  46.136.91.0/24       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  46.136.167.0/24      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  46.136.15.0/24       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  37.223.20.0/24       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  37.222.29.0/24       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  37.131.0.0/17        0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  31.47.95.80/29       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  31.47.95.64/29       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  31.47.95.48/29       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  31.47.95.0/27        0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  31.47.91.128/25      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  31.47.90.0/24        0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  31.47.89.0/27        0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  31.47.88.64/26       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  31.47.88.32/28       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  217.17.224.0/19      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  212.63.176.56        0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  212.63.170.212/30    0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  195.82.138.0/23      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  195.219.28.0/27      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  195.112.160.252/30   0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  194.117.122.63       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  193.188.96.0/19      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  193.188.12.0/23      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  188.137.128.0/17     0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  188.116.192.0/18     0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  185.7.8.0/22         0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  185.3.120.0/22       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  185.23.124.0/22      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  178.79.255.0/24      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  178.237.48.0/20      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  178.170.5.0/26       0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  178.132.32.0/20      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  176.241.176.0/21     0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  171.33.240.0/21      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  159.253.137.152/29   0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  159.253.136.252      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  159.253.134.254      0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  109.63.0.0/17        0.0.0.0/0
ASL-GEO-BLACKLIST-DROP-LOG  all  --  109.161.128.0/17     0.0.0.0/0

Chain ASL-GEO-BLACKLIST-DROP-LOG (87 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 2 LOG flags 7 level 6 prefix `ASL_GEO_BLOCK '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-PLESK-UPDATES (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            77.245.23.80        tcp dpt:5224 state NEW

Chain ASL-PORTSCAN (21 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_PORTSCAN '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-SPAMASSASSIN-UPDATES (1 references)
target     prot opt source               destination
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:24441 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:24441 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2703 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:7 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:6277 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:6277 state NEW

Chain ASL-TORTIXD-ACL (1 references)
target     prot opt source               destination

Chain ASL-UPDATES (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            80.82.124.228       tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            69.20.6.166         tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            74.208.195.110      tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            208.68.233.251      tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            74.208.112.216      tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            74.208.166.51       tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            198.71.51.132       tcp dpt:443 state NEW
Post Reply