NethServer Version: 7.9
Module: Firewall, IPS, Fail2ban, Webproxy
Since 3 week I recognize increasing packet drops
I cannot really identify a reason.
The Block Categories are similar to my other servers w/o drops.
Do you have any tips for me for deeper analysis?
Or ist it normal?
Best regards, Marko
round about 10-15%.
Meanwhile I deactivated the IPS completey - no differences. Which other module initiates such drops also?
This Drops dominates:
Jan 9 18:10:03 nethserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=c6:92:ce:7d:46:87:58:d7:59:69:f1:0d:08:00 SRC=188.8.131.52 DST=192.168.2.201 LEN=1440 TOS=0x00 PREC=0x00 TTL=55 ID=21669 DF PROTO=TCP SPT=443 DPT=42782 WINDOW=298 RES=0x00 ACK URGP=0 MARK=0x5b00
Jan 9 18:24:34 nethserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=c6:92:ce:7d:46:87:58:d7:59:69:f1:0d:08:00 SRC=184.108.40.206 DST=192.168.2.201 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=TCP SPT=443 DPT=47068 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x8c00
Jan 9 18:46:48 nethserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=c6:92:ce:7d:46:87:58:d7:59:69:f1:0d:08:00 SRC=220.127.116.11 DST=192.168.2.201 LEN=323 TOS=0x00 PREC=0x00 TTL=56 ID=26658 DF PROTO=TCP SPT=443 DPT=49742 WINDOW=235 RES=0x00 ACK PSH URGP=0 MARK=0x9100
Is this the IP address of your nethserver lan interface? All have in common that the destination is the same.
all are different source IP’s
yes it is my Proxmox /Nethserver Gateway
But then it’s your RED (outside) interface, not your GREEN (LAN) interface. Which makes me think your log entries are comming from random ip addresses. The entries are not related, so my best guess is that they are not that harmful.