dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2925
Grok451
join:2008-10-08
Temple City, CA

Grok451

Member

Netopia - Violation of Security Policy Events

Below is a sample of the type of messages I'm getting:

TCP srcIP:  192.168.1.4   dstIP:  17.149.36.235 srcPort:50754 dstPort: 5223 dropped - violation of security policy
TCP srcIP:  192.168.1.4   dstIP:  98.138.88.107 srcPort:50835 dstPort:  143 dropped - violation of security policy
ICMP srcIP: 192.168.1.254 dstIP:202.116.160.171 type:    3 code:    3 dropped - violation of security policy
TCP srcIP:  192.168.1.4   dstIP:   17.149.37.64 srcPort:50928 dstPort: 5223 dropped - violation of security policy
TCP srcIP:  192.168.1.103 dstIP: 74.125.224.181 srcPort:50090 dstPort:  443 dropped - violation of security policy
TCP srcIP:  192.168.1.103 dstIP: 199.204.20.100 srcPort:50327 dstPort:   80 dropped - violation of security policy
TCP srcIP:  192.168.1.103 dstIP: 199.204.20.100 srcPort:50329 dstPort:   80 dropped - violation of security policy
TCP srcIP:  192.168.1.103 dstIP: 199.204.20.100 srcPort:50331 dstPort:   80 dropped - violation of security policy
ICMP srcIP: 192.168.1.254 dstIP:   41.239.3.116 type:    3 code:    3 dropped - violation of security policy
ICMP srcIP: 192.168.1.254 dstIP:  208.54.86.255 type:    3 code:    3 dropped - violation of security policy
ICMP srcIP: 192.168.1.254 dstIP:  96.40.147.243 type:    3 code:    3 dropped - violation of security policy
ICMP srcIP: 192.168.1.254 dstIP: 89.249.244.138 type:    3 code:    3 dropped - violation of security policy
ICMP srcIP: 192.168.1.254 dstIP:     41.92.52.6 type:    3 code:    3 dropped - violation of security policy
ICMP srcIP: 192.168.1.254 dstIP:  77.31.247.224 type:    3 code:    3 dropped - violation of security policy
TCP srcIP:  192.168.1.89  dstIP:  204.9.163.166 srcPort:49522 dstPort:   80 dropped - violation of security policy
ICMP srcIP: 192.168.1.254 dstIP:  69.203.83.132 type:    3 code:    3 dropped - violation of security policy
ICMP srcIP: 192.168.1.254 dstIP: 69.138.232.116 type:    3 code:    3 dropped - violation of security policy
ICMP srcIP: 192.168.1.254 dstIP:    96.3.109.72 type:    3 code:    3 dropped - violation of security policy
TCP srcIP:  192.168.1.89  dstIP:209.208.241.213 srcPort:49389 dstPort:   80 dropped - violation of security policy
TCP srcIP:  192.168.1.89  dstIP:209.208.241.213 srcPort:49389 dstPort:   80 dropped - violation of security policy
TCP srcIP:  192.168.1.6   dstIP:209.208.241.212 srcPort: 2541 dstPort:   80 dropped - violation of security policy
ICMP srcIP: 192.168.1.254 dstIP:  174.147.206.6 type:    3 code:    3 dropped - violation of security policy
ICMP srcIP: 192.168.1.254 dstIP:  69.137.71.184 type:    3 code:    3 dropped - violation of security policy
ICMP srcIP: 192.168.1.254 dstIP:     2.25.74.93 type:    3 code:    3 dropped - violation of security policy

If I interpret this correctly, various IP's on the network are generating traffic to external sites that is being stopped by the Netopia for some security violation. Glad the Netopia is stopping the traffic. However, I'm trying to determine if there is a problem that needs to be resolved. Despite the messages, the PC's on the local network aren't getting any obvious signs of issue. The PC's are running anti-virus software and additional malware scans have been done. Neither have turned up any issues.
Questions:
• How can I determine specifically what security policy has been violated? The Netopia documents I've located don't detail the security policies, nor do they explain these messages.
• It's not clear how this traffic is being generated. Some of the destination addresses are associated with known entities like Apple, Microsoft, etc. If this is legit traffic, why is it being dropped?
• On the other hand, some traffic is associated with IPs in China, Egypt and other destinations that I wouldn't expect. In particular, the third entry (see bolded) indicates 192.168.1.254 (which is the Netopia) had traffic dropped that was intended for 202.116.160.171, which is in China, according to Ipillion. How is it that the Netopia is generating this type of traffic?

Would appreciate any help or suggestions.

tschmidt
MVM
join:2000-11-12
Milford, NH

tschmidt

MVM

Most of the dropped traffic is ICMP so I assume it is Ping requests. Not sure why it is showing as originating from the Netopia. Have you disabled ICMP on the router?

Have you checked firewall rules on the router?

/tom
Grok451
join:2008-10-08
Temple City, CA

Grok451

Member

Actually, most of the traffic is TCP - the snippet of the log from my original post is only a small representation of what's in the log. I included more ICMP events because they are more troubling to me, since those are shown as originating from the Netopia with some destinations that are more suspect. I can understand traffic originating from the local PC's, since simple internet browsing can cause all sorts of indirect traffic. I don't understand how traffic is originating from the Netopia without me being logged into it.

I've selected the "SilentRunning" security firewall option. But doesn't this only impact inbound traffic? Therefore outbound ICMP or TCP traffic is unaffected by this setting?