Can you help analysing a TCP package?

Hi folks!

I found some of the following packages in syslog:

Mon Nov  1 16:17:27 2021 kern.warn kernel: [   15.119056] REJECT wan in: IN=eth0 OUT= MAC=02:ba:52:82:14:c0:60:14:66:5a:b1:b1:08:00 SRC=44.228.106.27 DST=192.168.0.171 LEN=145 TOS=0x00 PREC=0x00 TTL=217 ID=27163 DF PROTO=TCP SPT=443 DPT=59482 WINDOW=120 RES=0x00 ACK PSH FIN URGP=

The OpenWrt device is behind my ISP router. How can such package overcome the firewall of the ISP router? Some clue what that package is?

2 Likes

Probably because most cheap low quality firewalls only handles port numbers up to about 1024 or 2048. DPT is destination port and that is 59482, usually there are network communication ports in that range that can if active be exploited.
In these low quality firewalls every DPT above 1024 or 2048 is freely sent through.

But our FW3 isn’t a low quality firewall and blocks all 65000+ (16bits addressable) TCP and UDP ports.

These online network port scanners scan specific registered communications ports like 22, 80, 443, 1194 and so on, and some random ports above 2048 to see what is returned and to know the quality of the firewall.
If a open port is discovered then the brute force intrusion or DoS attacks usually come as stage two on that specific port on that specific device.

Thank you @flygarn12 for clarifying. Good to have the OpenWrt router in front of the clients :slight_smile:

Looks like a reply sent from the web server to the client behind the router.
It hits the reject target due to a possible transmission error for an incorrectly terminated connection, or a NAT traversal problem related to conntrack timeout/overflow.
This is a minor issue which may happen from time to time, but there's nothing to worry about unless it starts happening on each connection.

1 Like

Is it obvious from the log if it is a request or a response?

Yep, otherwise it would not be able to traverse NAT on the ISP router.
The outer conntrack allows it to pass through as part of an established connection.

Thank you all for your inputs!

3 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.