Using banIP on OpenWRT 24.10.1 on a Flint2 router with modem in bridge mode, I see many incoming requests that the firewall rejects. Here is a sampling:
Fri Jun 13 14:53:21 2025 kern.warn kernel: [53643.399926] banIP/pre-ct/drop: IN=eth1 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=83.222.190.82 DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=41241 PROTO=TCP SPT=40674 DPT=24000 WINDOW=1200 RES=0x00 RST URGP=0
Fri Jun 13 14:53:35 2025 kern.warn kernel: [53658.074156] banIP/pre-ct/drop: IN=eth1 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=106.75.139.161 DST=xxx.xxx.xxx.xxx LEN=44 TOS=0x00 PREC=0x00 TTL=239 ID=25209 PROTO=TCP SPT=58914 DPT=3689 WINDOW=1200 RES=0x00 RST URGP=0
Fri Jun 13 14:54:33 2025 kern.warn kernel: [53715.703253] banIP/pre-ct/drop: IN=eth1 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=45.144.212.221 DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=56231 PROTO=TCP SPT=56383 DPT=2222 WINDOW=1200 RES=0x00 RST URGP=0
These occur every few seconds from many different IPs from all over the world. I believe it is the cinscore
firewall chain in banIP that is catching these.
Any idea on what these are and how I could better configure my firewall to protect against them? I'm not sure if these are just zombie attacks or if they are a threat.