Can someone explain this Firewall log alert from my Router?

JEDI

Lifer
Sep 25, 2001
29,391
2,737
126
03/07/2007 03:44:29 Inbound RulesDropWANTCP Alert

when i click on details, it says:
Alert: TCP WAN Traffic to WAN IP
Source Port: 80
Destination Port: 50965

This error is pages and pages long at like 10 second intervals.

Should i be concerned?
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
It looks like someone is trying to connect to your WAN IP (the one provided by the ISP) from the general internet. Without further investigation, the log looks like someone is coming from port 80 to your port 50965, but that seems funky to me. Any problems loading pages?
 

Phil21

Golden Member
Dec 4, 2000
1,015
0
0
Much more likely is that it's intercepting some form of response from a webserver to a client. Useful things like oh you know, logging the source and destination IP's seem to be left out.

This is what we call in the industry IWF's, when we get at abuse desks and network engineering contacts "abuse reports" from stuff like this. I'm not destining that comment at you at all, just in general showing disgust for the general state of the "lol firewall!" device market. So called "network engineers" tend to send awesome abuse reports cut and pasted from devices like this, thinking that they in some way are showing nefarious traffic. 99.99% of the time it shows a normal TCP flow from say a webpage they requested in their browser. Ugh.

Back on topic :) This traffic is overwhelmingly likely to not be "bad" in any way. It shows the normal port a webserver will respond on, sending data to a normal port a client would request that data from.
 

JackMDS

Elite Member
Super Moderator
Oct 25, 1999
29,516
408
126
You can not control the traffic on the road in front of your House, and you usually do not investigate who is in the car that is passing by.

Unless you have a very strong stomach, or there is in an indication the something from the outside is affecting the inside of the LAN it is better of not to look at the Router's WAN log.
 

JEDI

Lifer
Sep 25, 2001
29,391
2,737
126
Originally posted by: n0cmonkey
It looks like someone is trying to connect to your WAN IP (the one provided by the ISP) from the general internet. Without further investigation, the log looks like someone is coming from port 80 to your port 50965, but that seems funky to me. Any problems loading pages?

yeah, LOTS of problems loading pages... REALLLLY slow.

here's the latest alert:
Source IP: 85.66.204.207 Destination IP: <My IP>
Protocol: UDP
Source Port: 23665 Destination Port: 19912

Alert: UDP WAN Traffic to WAN IP

This is my home DSL (Verizon) using a Westell wireless Router/DSL modem
 

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
Originally posted by: JEDI
Originally posted by: n0cmonkey
It looks like someone is trying to connect to your WAN IP (the one provided by the ISP) from the general internet. Without further investigation, the log looks like someone is coming from port 80 to your port 50965, but that seems funky to me. Any problems loading pages?

yeah, LOTS of problems loading pages... REALLLLY slow.

here's the latest alert:
Source IP: 85.66.204.207 Destination IP: <My IP>
Protocol: UDP
Source Port: 23665 Destination Port: 19912

Alert: UDP WAN Traffic to WAN IP

This is my home DSL (Verizon) using a Westell wireless Router/DSL modem

that's not using port 80, so I doubt it's web related. That's just "background noise" from the internet.