2701HGV BT6.1.1.22 - weird IP's in Firewall logs

BlazeBlade · Jul 02, 2011, 11:10:02

Hi Community,

I have a 2701HGV Gateway and flashed the BT 6.1.1.22-enh.tm firmware with help from this forum and h*t*tp://bt2700hgv.tripod.co*m
Setup my ISP login and local network. (no VOIP)

Now I found weird connection attempts to IP's all over the world in the firewall logs.

I setup the router with one laptop and a fresh WindowsXP, so they should not come from this computer. It looks more that the router itself is trying to connect to those IP's.

Does anyone knows what's going on here?

Thanks for any help.

Firewall Logs:

INF 2011-07-02T18:45:52+12:00 fw,fwmon
src=91.82.162.237 dst=119.224.59.106 ipprot=6 sport=1060 dport=30121 Unknown inbound session stopped

INF 2011-07-02T18:45:52+12:00 fw,fwmon
src=210.6.70.42 dst=119.224.59.106 ipprot=6 sport=65261 dport=443 Unknown inbound session stopped

INF 2011-07-02T19:01:02+12:00 fw,fwmon
src=24.46.141.234 dst=119.224.59.106 ipprot=6 sport=49971 dport=443 Unknown inbound session stopped

INF 2011-07-02T19:01:02+12:00 fw,fwmon
src=126.26.208.90 dst=119.224.59.106 ipprot=6 sport=48560 dport=80 Unknown inbound session stopped

INF 2011-07-02T19:01:02+12:00 fw,fwmon
src=126.26.208.90 dst=119.224.59.106 ipprot=17 sport=55504 dport=80 Unknown inbound session stopped

INF 2011-07-02T19:01:02+12:00 fw,fwmon
src=201.27.197.198 dst=119.224.59.106 ipprot=6 sport=49298 dport=30121 Unknown inbound session stopped

INF 2011-07-02T19:01:05+12:00 fw,fwmon
src=24.46.141.234 dst=119.224.59.106 ipprot=6 sport=49971 dport=443 Unknown inbound session stopped

INF 2011-07-02T19:01:05+12:00 fw,fwmon
src=126.26.208.90 dst=119.224.59.106 ipprot=6 sport=48560 dport=80 Unknown inbound session stopped

INF 2011-07-02T19:01:05+12:00 fw,fwmon
src=201.27.197.198 dst=119.224.59.106 ipprot=6 sport=49298 dport=30121 Unknown inbound session stopped

INF 2011-07-02T19:01:11+12:00 fw,fwmon
src=24.46.141.234 dst=119.224.59.106 ipprot=6 sport=49971 dport=443 Unknown inbound session stopped

INF 2011-07-02T19:01:11+12:00 fw,fwmon
src=126.26.208.90 dst=119.224.59.106 ipprot=6 sport=48560 dport=80 Unknown inbound session stopped

INF 2011-07-02T19:01:11+12:00 fw,fwmon
src=201.27.197.198 dst=119.224.59.106 ipprot=6 sport=49298 dport=30121 Unknown inbound session stopped

INF 2011-07-02T19:06:09+12:00 fw,fwmon
src=188.26.46.93 dst=119.224.59.106 ipprot=1 icmp_type=3 icmp_code=3 ICMP Dest Unreachable, session terminated

INF 2011-07-02T13:38:13+12:00 fw,fwmon
src=41.130.171.200 dst=119.224.59.106 ipprot=6 sport=3760 dport=23 Unknown inbound session stopped

Simon · Jul 02, 2011, 11:14:27

I'm sure someone will be along to advise in due course.

MisterW · Jul 02, 2011, 11:18:44

QuoteNow I found weird connection attempts to IP's all over the world in the firewall logs.

No, they're connection attempts FROM IP's all over the world. It's nothing the worry about, they've been blocked by the firewall in the 2700 and it's just reporting it. It's typical these days of probing attempts from all over the world.
As I say!, nothing to worry about , just the 2700 informing you of the attempts being blocked.

Ray · Jul 02, 2011, 11:29:42

BlazeBlade · Jul 02, 2011, 11:47:04

Hi Guys,

Thanks for the nice welcome and the turbo quick reply!

I live in NZ and I used a (standard) NZTelecom modem the last 2 years but I never had those IP connection in my modem's log files.
Is the 2701 just more sensitive?

Just wondering if you guys have the same entries?

Cheers!

Lance · Jul 02, 2011, 12:16:05

It could just be the 2701 firewall reports it where as other routers might block it without reporting.

BlazeBlade · Jul 02, 2011, 13:29:25

There is probably again a simple explanation but why do I have these Static Routes?
192.168.178.x is not a network ID on my network.

Thanks again for your time and help.

Subnet IP 192.168.178.254
Subnet Mask 255.255.255.255
Gateway IP 192.168.178.254
Interface bridge3

Subnet IP 192.168.178.0
Subnet Mask 255.255.255.0
Gateway IP 192.168.178.254
Interface bridge3

And in event log (system)
INF P0000-00-00T00:00:22 sys ipnet3: Up on bridge3 with 192.168.178.254/24192.168.178.254

kinmel · Jul 02, 2011, 13:34:21

You can check how well your firewall is protecting you by running a scan with Shields Up!

MisterW · Jul 02, 2011, 19:37:34

The BT firmware has the ability to have 2 separate wireless networks. One is your network and uses the same subnet as the wired network, the other is for BT_Fusion and/or Openzone if enabled. I believe 192.168.172.x is the subnet for that network, it is therefore segregated from YOUR local network to avoid any of its users accessing your local network but give them access to the Internet.
Openzone is best disabled but the Fusion network can sometimes be useful to give visitors access to the internet without compromising your own network.

pctech · Jul 02, 2011, 20:23:47

Had a spate of those myself on my Netgear DG834G when I initially received my fixed IP allocation from Zen, it reported them as Denial of Service (DOS) attempts in the logs where the firewall had dropped the packet.

The IPs tracked back to China, after a while they got bored when they realised they were getting nowhere and the entries stopped.

BlazeBlade · Jul 03, 2011, 12:01:16

Thanks for your help. Cool Forum!

Cheers!