Malicious site - mis-reporting or misunderstanding?
I am getting a lot of "Blocked malicious site X from accessing machine Y" messages on Firewalla Blue.
I am happy that it is blocking stuff, but I would like to understand why it is doing it. I suspect I am seeing these messages because they are valid and I do not understand them, but I am concerned that I have a poor network setup and the messages are really telling me that I could do better.
The network is one at home, with several machines connected, but I'll simplify and look at the worst affected one.
- I have a linux server running a service on 192.168.1.4:8080/service
- There is a second linux server running Apache2, listening on 192.168.1.8:443 and with a reverse-proxy to the first server at 192.168.1.8:443/service . I'm using Letsencrypt for the ssl.
- I have a fibre router providing my internet connection. This is set up
- - to port-forward traffic on 443 to the Apache server
- - to port-forward ssh on 22 to another system, and 1193 to Firewalla
- - to (as far as I can tell from the docs) not port-forward any other ports
- Firewalla is directly connected to the router, as designed
My limited understanding is that the router should be saying "not port 443/22/1193, so ignore the incoming connection". But Firwalla is reporting large numbers of "malicious site X was blocked from 192.168.1.4 on destination port 45902"
I thought the router would simply ignore that, due to the port not being forwarded, so it would never enter my network. I'm glad that Firewalla is stopping it, but I would like to know why it has to, and if I could stop it earlier.
Plus, I'd like to understand the method that a potential attack on a port my router is not forwarding could be destined to a machine behind a router firewall and proxy. (I'd understand it if it reported port 443 - that's being forwarded!)
If the alarm has "443,22,1193" in it, it is likely outsider trying to get into your system. The block is valid.
If you see something is accessing inside port that's outside of your range, it could be four possibilities
1. the port was open by UPnP
2. a bug in the UI
3. a bug in the accounting system, src and dst ports are reversed.
4. inside host is accessing site X of port 45902
If this happen again, send us a email, and give us support access, we can go inside and take a look
Please sign in to leave a comment.