How do I stop many GP socket connected to my Cellular TCP/IP address?

Digi TransPort WR (Series)
, , ,
1

I thought my two lines of Firewall code were supposed to stop any incoming hits or login attempts except from our server in the lab and my actual PC in my cube with the following 2 lines of firewall code

pass in break end on ppp 1 from 164.82.32.13 to addr-ppp 1
pass in break end on ppp 1 from 164.82.32.1 to addr-ppp 1

I am getting hundreds of these type of GP hits stopping my WR41 from working?
03:29:15, 08 Jan 2019,GP socket connected: 166.141.188.4:22 -> 103.114.107.221:58621
03:29:15, 08 Jan 2019,GP socket connected: 166.141.188.4:22 -> 68.183.17.76:41078
03:26:41, 08 Jan 2019,GP socket connected: 166.141.188.4:22 -> 148.101.91.58:37274

2

Hi

What other rules have you got in the firewall

also has this been switched on the PPP interface and some times the PPP interface would need to be cycled to enable

regards

James

3

Thanks Jim, My field guys are headed out this morning to reboot. I will be able to get logs then and PPP 1 was rebooted after last firewall update. Here is all in the firewall.
#Allow outbound FTP traffic
pass out break end proto ftp from any to any port=ftpcnt flags S!A inspect-state
#Allow any other outbound traffic and the replies back in
pass in break end on ppp 1 from 164.82.32.13 to addr-ppp 1
pass in break end on ppp 1 from 164.82.32.1 to addr-ppp 1
pass out break end inspect-state
#Allow incoming IPSEC
pass break end proto 50
pass in break end proto udp from any to any port=ike
pass in break end proto udp from any to any port=4500
#Allow any traffic within an IPSEC tunnel in both directions
pass break end oneroute any
#Allow incoming SSH and SFTP
pass in break end proto tcp from any to any port=22 flags S!A inspect-state
#Allow incoming HTTPS
pass in break end proto tcp from any to any port=443 flags S!A inspect-state
#Block and log everything else including incoming telnet, http and FTP
block log break end

4

Hi

You have the originall rules still in for SSH and HTTPS from anywhere.

you would need to remobe the entries to stop other people from conencting

#Allow incoming SSH and SFTP
pass in break end proto tcp from any to any port=22 flags S!A inspect-state
#Allow incoming HTTPS
pass in break end proto tcp from any to any port=443 flags S!A inspect-state

5

Here is the firewall.txt

remote managment rule to all ports from NOC address

pass in break end on ppp 1 from 164.82.32.13 to addr-ppp 1
pass in break end on ppp 1 from 164.82.32.1 to addr-ppp 1
#Allow any other outbound traffic and the replies back in
pass in break end on ppp 1 from 24.158.245.210 to addr-ppp 1
pass out break end inspect-state
#Allow incoming IPSEC
#Allow any traffic within an IPSEC tunnel in both directions
#Block and log everything else including incoming telnet, http and FTP
block log break end

From the debug file I see a guy from Australia still getting in somehow see next line,

15:58:44, 17 Jan 2019,IP Act_Rq to PPP 1-0: s_ip[192.168.1.51] d_ip[111.221.57.130] d_port[443]

The IP address 192.168.1.51 is our data logger at the remote site a Windows 7 Professional system. The other IP address 111.221.57.130 is in Australia. We are in Washington DC

6

Hi
so the event is showing traffic flowing from the data logger. as it looks like you are using PPP on demand this request has forced the PPP interface UP and thats why there is an entry in the eventlog. if PPP was always on you would not see this event.

You should check the data logger and see why it is opening this connection if you think it is wrong

regards

James

7

I now have another issue I have an app that needs to come through my router on http port 9898 from
164.82.32.13 only

Again I am using a WR-41
Firmware Version:6.1.3.5 (Jul 17 2018 14:23:56)