Meaning of Event Log Items

I have a series of these items
Aug 06 12:57:22 Denied CONN=lan MAC= :08:00 SRC=10.159.11.20 DST=172.21.3.222 LEN=80 TOS=0x00 PREC=0x00 TTL=63 ID=19786 PROTO=UDP SPT=62104 DPT=54068 LEN=60 MARK=0x2 They come about every 15 minutes.

I understand many of the definitions of CONN, MAC, DST, LEN, etc., from the user manual. I don’t understand why I have the entries.

It seems to have something to do with my using Router-Block-Modem outbound firewall rules to block all private spaces, i.e, 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. When I removed the firewall rules, I stopped getting “Denied CONN” entries.

Are these serious entries or are they simply something I’ll have to ignore if I can’t fix?

The entries are showing up because you have firewall logging enabled. You can disable this by finding the firewall rules and unchecking the Event Logging > Enable.

It looks like it’s all internal traffic. You may want to check if these two devices should be talking to each other or not.

1 Like

Thank you, Zach, I know it’s logging because I enabled Event Logging.

Blockquote It looks like it’s all internal traffic. You may want to check if these two devices should be talking to each other or not.

How would I go about checking that? The first MAC Address is the router and the second is the “WiFi Address,” whatever that is. I omitted both MAC addresses from my post.

What’s the effect of the “Denied CONN?” The system seems to work fine even while those events are being logged.

Base on the above logs, you should check the source device 10.159.11.20 and destination device 172.21.3.222. You should perform packet capture from the source device 10.159.11.20 why such traffics generated. Firewall logs only tell that the connection is “denied” and whether or not the application working fine it is depend the application it self base on the necessary for the port.

SPT=62104 - source port
DPT=54068- destination port

1 Like

My VPN service pushes a DNS server in order to prevent leaks and it resides in the IP 172.16 to 172.31 space. I suspect that’s the issue.

Thanks.

I noticed similar event logs when blocking outbound RFC 1918 ranges. This happens when not on VPN.

What I find strange is there’s nothing sitting at the destination IPs. It also rotates through a few source ports with the same destination port.

Any ideas on what’s going on?

You are not alone. I see outbound traffic to private IPv4 addresses all the time. Blogged about it here
https://michaelhorowitz.com/PrivateIPs.on.Internet.php

2 Likes