I have a series of these items
Aug 06 12:57:22 Denied CONN=lan MAC= :08:00 SRC=10.159.11.20 DST=172.21.3.222 LEN=80 TOS=0x00 PREC=0x00 TTL=63 ID=19786 PROTO=UDP SPT=62104 DPT=54068 LEN=60 MARK=0x2 They come about every 15 minutes.
I understand many of the definitions of CONN, MAC, DST, LEN, etc., from the user manual. I don’t understand why I have the entries.
It seems to have something to do with my using Router-Block-Modem outbound firewall rules to block all private spaces, i.e, 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. When I removed the firewall rules, I stopped getting “Denied CONN” entries.
Are these serious entries or are they simply something I’ll have to ignore if I can’t fix?
The entries are showing up because you have firewall logging enabled. You can disable this by finding the firewall rules and unchecking the Event Logging > Enable.
Thank you, Zach, I know it’s logging because I enabled Event Logging.
Blockquote It looks like it’s all internal traffic. You may want to check if these two devices should be talking to each other or not.
How would I go about checking that? The first MAC Address is the router and the second is the “WiFi Address,” whatever that is. I omitted both MAC addresses from my post.
What’s the effect of the “Denied CONN?” The system seems to work fine even while those events are being logged.
Base on the above logs, you should check the source device 10.159.11.20 and destination device 172.21.3.222. You should perform packet capture from the source device 10.159.11.20 why such traffics generated. Firewall logs only tell that the connection is “denied” and whether or not the application working fine it is depend the application it self base on the necessary for the port.
SPT=62104 - source port
DPT=54068- destination port
