Firewall/NAT

I think I have pretty good firewall rules, blocking everything not needed outbound (egress filtering?) but there is a few things logged I don't understand and I'm thinking I could get help understanding them here.

In Diagnostics: Logs: Settings, I have Log packets blocked by the default rule enabled but I thought that was the Block private networks in Interfaces: WAN and that the entries in my logs is something else?

This is at the bottom of my lan rules (logging is off for all rules):

Code:

LAN     Proto  Source  Port  Destination  Port  Description
X         *  LAN net  *  WAN address  *  Block everything else 

This is P2P traffic from Spotify I think, but why is it logged?

Code:

Act  Time                   If  Source           Destination                  Proto
X    11:09:53.698052  LAN  workstation, port 2395  remote-ip, port 47947  TCP

What's this, is it SAMBA related?

Code:

X    11:30:57.026732  LAN  workstation, port 138  192.168.1.255, port 138  UDP

This is my Linux server, running SqueezeCenter (I think this port is related to that):

Code:

X    11:30:47.977166  LAN  marna, port 3483  255.255.255.255, port 3483  UDP

This is a Linux VM (my web-development server), running on the same Linux server:

Code:

X    11:31:47.010715  LAN  devbox, port 137  192.168.1.255, port 137  UDP

Any insight on these entries?

I tried enabling logging from m0n0wall to Kiwi Syslog but I couldn't get it working for some reason.
Logging from my Linksys WRT54GL (running Tomato) worked fine, any special configuration needed for m0n0wall?

Is this so basic so no one bother replying (my guess  ) or maybe I wasn't very clear?

Is this so basic so no one bother replying (my guess  ) or maybe I wasn't very clear?

It might be 

But no worries, I'll see if I can help because none us here were born network experts and we all had to start somewhere. 

The way I'm reading it, you have default block logging. That means every single IP out there that pings, scans, probes m0n0wall will be logged as blocked because there really is no port for it to answer. Basically, you are seeing the "background" noise from every hacker, cracker, virus, whatever out there that wants to talk to your m0n0wall.

You have everything outbound blocked, so I imagine you are only allowing ports that are needed (80 for web, 25 for e-mail, 443 for SSL, etc.)

The P2P logging is common because many connections are open, some expire, so the firewall blocks them, logs them.

The Samba traffic is using the broadcast *.255 on port 138, windows computers do that all the time, it's normal since your firewall is blocking them from "escaping" out in to the wild.

The SqueezeCenter is using IP 255.255.255.255 which is normally reserved for a DHCP broadcast, so that might just the firewall playing packet police is all.

The final Linux VM is using port 137, another windows broadcast of NetBIOS, Filesharing, etc. You'll notice it also uses the *.255 address to try a broadcast.

Can't comment on the syslog other than check the syslog sever's logs for any errors or ports that need to sync up.

Super, you made it much clearer for me, knightmb, thanks!

There was a lot of noise from the "Log packets blocked by the default rule", I'll disable it and turn on logging for a few individual rules instead, maybe it's easier for me to understand what's going on then

Super, you made it much clearer for me, knightmb, thanks!

There was a lot of noise from the "Log packets blocked by the default rule", I'll disable it and turn on logging for a few individual rules instead, maybe it's easier for me to understand what's going on then

That's what I do as well, when I first had it on, it was neat, but after pages and pages of "blocked this, blocked that" and it wasn't really even relevant to my web servers, e-mail, etc.  So I knew m0n0wall was doing it's job, I didn't need any further proof.  If you ever suspect that your firewall is under attack though, you can always turn it back on and check to see if it's just random "noise" or some guy at the same IP just slinging packets at you for fun.