Cablemodem (SBG6580) firewall denying some outbound traffic? Why? Not configured [migrated]

Posted by lairdb on Server Fault See other posts from Server Fault or by lairdb
Published on 2014-05-31T19:20:11Z Indexed on 2014/05/31 21:31 UTC
Read the original article Hit count: 209

Filed under:
|
|
|
|

I finally got around to turning the syslog on for my cablemodem (Motorola Surfboard SBG6580) and I'm seeing about the expected amount of inbound attackage being blocked...

2014-05-30 21:59:02     Local0.Alert    192.168.111.1   May 31 04:58:56 2014 SYSLOG[0]: [Host 192.168.111.1] UDP 12.230.209.198,4500 --> 66.27.xx.xx,61459 DENY:Firewall interface [IP Fragmented Packet] attack
2014-05-30 21:59:02     Local0.Alert    192.168.111.1   May 31 04:58:56 2014 SYSLOG[0]: [Host 192.168.111.1] TCP 17.172.232.109,5223 --> 66.27.xx.xx,53814 DENY:Firewall interface access request
2014-05-30 21:59:02     Local0.Alert    192.168.111.1   May 31 04:58:57 2014 SYSLOG[0]: [Host 192.168.111.1] UDP 12.230.209.198,443 --> 66.27.xx.xx,53385 DENY: Firewall interface [IP Fragmented Packet] attack
2014-05-30 21:59:02     Local0.Alert    192.168.111.1   May 31 04:58:57 2014 SYSLOG[0]: [Host 192.168.111.1] UDP 12.230.209.198,4500 --> 66.27.xx.xx,61459 DENY:Firewall interface [IP Fragmented Packet] attack
2014-05-30 21:59:10     Local0.Alert    192.168.111.1   May 31 04:59:04 2014 SYSLOG[0]: [Host 192.168.111.1] UDP 12.230.209.198,443 --> 66.27.xx.xx,59960 DENY: Firewall interface [IP Fragmented Packet] attack
2014-05-30 21:59:10     Local0.Alert    192.168.111.1   May 31 04:59:04 2014 SYSLOG[0]: [Host 192.168.111.1] UDP 12.230.209.198,4500 --> 66.27.xx.xx,61459 DENY:Firewall interface [IP Fragmented Packet] attack

...and that's great. (Sad, but great.)

But I'm also seeing a HUGE amount of what appears to be denied outbound connectivity:

2014-05-30 16:30:10 Local0.Alert    192.168.111.1   May 30 23:30:04 2014 SYSLOG[0]: [Host 192.168.111.1] TCP 192.168.111.100,58969 --> 38.81.66.127,443 DENY: Inbound or outbound access request 
2014-05-30 16:30:10 Local0.Alert    192.168.111.1   May 30 23:30:04 2014 SYSLOG[0]: [Host 192.168.111.1] TCP 192.168.111.100,58969 --> 38.81.66.127,443 DENY: Inbound or outbound access request 
2014-05-30 16:30:10 Local0.Alert    192.168.111.1   May 30 23:30:04 2014 SYSLOG[0]: [Host 192.168.111.1] TCP 192.168.111.100,58965 --> 162.222.41.13,443 DENY: Inbound or outbound access request 
2014-05-30 16:30:10 Local0.Alert    192.168.111.1   May 30 23:30:04 2014 SYSLOG[0]: [Host 192.168.111.1] TCP 192.168.111.100,58965 --> 162.222.41.13,443 DENY: Inbound or outbound access request 
2014-05-30 16:30:10 Local0.Alert    192.168.111.1   May 30 23:30:04 2014 SYSLOG[0]: [Host 192.168.111.1] TCP 192.168.111.100,58964 --> 38.81.66.179,443 DENY: Inbound or outbound access request 
2014-05-30 16:30:10 Local0.Alert    192.168.111.1   May 30 23:30:04 2014 SYSLOG[0]: [Host 192.168.111.1] TCP 192.168.111.100,58964 --> 38.81.66.179,443 DENY: Inbound or outbound access request 

...and

  1. Spot checking suggests that it's all legitimate traffic (Opening connections to CrashPlan, etc.),
  2. I have no restrictions configured in the modem; I don't see why it should be blocking anything.

Am I misreading the log entry, and it's not actually being denied? (Seems unlikely.) Is the ISP (TWC) pushing deny tables that are not exposed in the UI? (Tinfoil hat too tight.)

I'm confused. (The good news, such as it is, is that AFAIK I'm not experiencing any actual issues... but maybe I am; tough to tell.)

Thanks.

© Server Fault or respective owner

Related posts about networking

Related posts about firewall