DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Firewall syslog syntax - quick question?
- russhay
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
10 Feb 2022 10:43 #100582
by russhay
Firewall syslog syntax - quick question? was created by russhay
on a 2766 Vigor.. and I can see drops in the firewall log for DNS from a high-port.. but no associated rule number - so if a firewall drop just shows '[Session], what part of the firewall is dropping it? (particularly as I allow outbound DNS). I've checked https://draytek.co.uk/support/guides/kb-vigor-syslog-firewall and it doesn't explain?
Jan 1 22:23:26 gateway DrayTek: [Firewall][Block][Session][192.168.1.253:38411->84.53.139.192:53]
so what's dropping DNS in this case? (the .253 address is on the internal lan). It's probably user error - I'll put my hand up to that in advance!
Jan 1 22:23:26 gateway DrayTek: [Firewall][Block][Session][192.168.1.253:38411->84.53.139.192:53]
so what's dropping DNS in this case? (the .253 address is on the internal lan). It's probably user error - I'll put my hand up to that in advance!
Please Log in or Create an account to join the conversation.
- admin3
- Offline
- Site Admin
Less
More
- Posts: 604
- Thank you received: 0
10 Feb 2022 11:40 #100584
by admin3
Forum Administrator
Replied by admin3 on topic Re: Firewall syslog syntax - quick question?
I think the guide's out of date or doesn't cover that, but it says session so that should be a session limit. But the router supports 50,000 sessions so it should not be that? Quickest way to check is go to [Firewall] > [General Setup] - Default Rule tab and see the session count there.
The random source port and defined destination port means it's just an outgoing DNS request, maybe try recreating that in the [Firewall] > [Diagnose] to see if that's allowed?
The random source port and defined destination port means it's just an outgoing DNS request, maybe try recreating that in the [Firewall] > [Diagnose] to see if that's allowed?
Forum Administrator
Please Log in or Create an account to join the conversation.
- johnpa7
- Offline
- Junior Member
Less
More
- Posts: 41
- Thank you received: 0
10 Feb 2022 12:13 #100586
by johnpa7
Replied by johnpa7 on topic Re: Firewall syslog syntax - quick question?
My understanding is the 84.53.139.192:53 has been blocked by a selection in your firewall setup. A whois check shows 84.53.139.192:53 is akami.com, a cloud service. Used as CDN content delivery service. My limited understanding these are servers that cache web pages for various companies to speed up loading of there pages. Do use use CYREN app on the router?
Please Log in or Create an account to join the conversation.
- russhay
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
10 Feb 2022 14:40 #100587
by russhay
Replied by russhay on topic Re: Firewall syslog syntax - quick question?
Thanks guys, I'll check the max sessions info and will try the rule simulator.. I don't use any of the Content blocking services, so it's find out what this is otherwise will wipe the router and rebuild it as I test after each new rule.. a process I'd prefer to avoid!
Please Log in or Create an account to join the conversation.
- russhay
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
10 Feb 2022 15:16 #100588
by russhay
Replied by russhay on topic Re: Firewall syslog syntax - quick question?
Okay, so tracked it down - obvious in hindsight.
under Bandwidth Management / IPv4 Default Max Sessions =100 was ticked - also explains why it was being dropped with [Session]. No doubt that was my error at some point!
Thanks for the pointers!
under Bandwidth Management / IPv4 Default Max Sessions =100 was ticked - also explains why it was being dropped with [Session]. No doubt that was my error at some point!
Thanks for the pointers!
Please Log in or Create an account to join the conversation.
Moderators: Sami
Copyright © 2024 DrayTek