Thanks Kail,
Yes, it’s outbound - here’s a log entry:
Date/Time :2007-06-28 07:19:44
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.24.2
Destination: 208.67.220.220
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 13
(I’ve discovered the export as HTML feature :-)).
Happens irregularly i.e. last nite at around 22:00, then twice this morning at 07:10 & 07:20, so not so frequent.
Router does DHCP, though all current machines are hard coded to IP addresses and there is a range of IPs defined for DHCP. It also acts as DNS forwarding any requests to the proper DNS servers. Some of the machines (incl mine) have 208.67.220.220 and 208.67.222.222 as secondary DNS configured.
The messages I’m most concerned about are these:
Date/Time :2007-06-28 07:25:54
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Incoming
Source: 192.168.24.1
Destination: 192.168.24.2
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 13
As they seem to originate from the router and occur every minute or so.
In the Network Control, I have a rule that allows any TCP/UDP in or out for any machine on the lan i.e. 192.168.24.0 to 192.168.24.255.
I have also allowed pings (ICMP in/out Echo request) between lan machines.
Unfortunately I am working blind as I have no idea what the difference is between TCP, UDP and ICMP, nor do I know what ports are for what (well, I know a little - very dangerous :-)).
I’m perhaps being a little paranoid as the router has a decent firewall with all ports blocked and ignores pings from the outside world. Seems to pass security tests pretty well.
Would like to know what this traffic is though…
Regards
Animal