I would like some help figuring out what the firewall logs are doing on the cisco rv042.
First, i'm seeing this:
Jul 1 09:57:35 2014 | ACCESS_RULE | TCP 192.168.24.29:64086->137.116.32.69:80 on eth0 |
Jul 1 09:57:38 2014 | ACCESS_RULE | TCP 192.168.24.40:64086->65.166.200.17:80 on eth0 |
Jul 1 09:57:42 2014 | ACCESS_RULE | TCP 192.168.24.49:64086->157.56.240.137:80 on eth0 |
Jul 1 09:57:42 2014 | ACCESS_RULE | TCP 192.168.24.43:64086->65.166.200.11:80 on eth0 |
Jul 1 09:57:42 2014 | ACCESS_RULE | TCP 192.168.24.49:64086->157.56.240.137:80 on eth0 |
Why is the originating IP showing as port 64086? I see that the destination port is 80 which makes sense to me for web traffic.
Then I see logs like this:
Jul 1 09:44:10 2014 | ACCESS_RULE | UDP 192.168.24.35:54399->173.194.46.106:53580 on eth0 |
Jul 1 09:44:12 2014 | ACCESS_RULE | UDP 192.168.24.20:54399->65.166.200.13:53580 on eth0 |
Jul 1 09:44:20 2014 | ACCESS_RULE | UDP 192.168.24.41:54399->137.116.32.69:53580 on eth0 |
Jul 1 09:44:22 2014 | ACCESS_RULE | UDP 192.168.24.20:54399->72.2.114.133:53580 on eth0 |
Jul 1 09:44:27 2014 | ACCESS_RULE | UDP 192.168.24.45:54399->137.116.32.69:53580 on eth0 |
Jul 1 09:44:28 2014 | ACCESS_RULE | UDP 192.168.24.43:54399->132.245.113.194:53580 on eth0 |
The originating port is 54399 and the destination is 53580. Any idea why those ports are being used?
I look up the IPs and most are Microsoft or something I recognize. But I am seeing a lot of 65.166.200.17 which translates to www.learningware.com. I see this IP being accessed from different IP addresses (including mine). I certainly don't use that site for anything.
Am I reading this log right?
Thanks for any help!