SFW2-INext-DROP-DEFLT filling up dmesg, firewall logs

I’m on SUSE 11.1, and getting a lot of this message in dmesg.

SFW2-INext-DROP-DEFLT IN=wlan0 OUT= MAC=00:12:79:3e:c3:a5:00:0d:72:3e:0d:21:08:00 SRC=172.16.0.1 DST=172.16.1.34 LEN=48 TOS=0x00 PREC=0x00 TTL=255 ID=16134 DF PROTO=TCP SPT=62116 DPT=80 WINDOW=32768 RES=0x00 SYN URGP=0 OPT (020405B403030001)
SFW2-INext-DROP-DEFLT IN=wlan0 OUT= MAC=00:12:79:3e:c3:a5:00:0d:72:3e:0d:21:08:00 SRC=172.16.0.1 DST=172.16.1.34 LEN=48 TOS=0x00 PREC=0x00 TTL=255 ID=16135 DF PROTO=TCP SPT=62116 DPT=80 WINDOW=32768 RES=0x00 SYN URGP=0 OPT (020405B403030001)
SFW2-INext-DROP-DEFLT IN=wlan0 OUT= MAC=00:12:79:3e:c3:a5:00:0d:72:3e:0d:21:08:00 SRC=172.16.0.1 DST=172.16.1.34 LEN=48 TOS=0x00 PREC=0x00 TTL=255 ID=16136 DF PROTO=TCP SPT=62118 DPT=80 WINDOW=32768 RES=0x00 SYN URGP=0 OPT (020405B403030001)

My wireless connection to the internet on wlan0 is working fine. The ‘SRC=172.16.0.1’ IP is my homeportal/DSL router/wireless router, and ‘DST=172.16.1.34’ is my current IP. I looked for more information in my logs, but /var/log/messages didn’t have much, and there is no /var/log/syslog. However, /var/log/firewall has the same lines.

Jan 18 11:19:02 dexter kernel: SFW2-INext-DROP-DEFLT IN=wlan0 OUT= MAC=00:12:79:3e:c3:a5:00:0d:72:3e:0d:21:08:00 SRC=172.16.0.1 DST=172.16.1.34 LEN=48 TOS=0x00 PREC=0x00 TTL=255 ID=31108 DF PROTO=TCP SPT=53014 DPT=80 WINDOW=32768 RES=0x00 SYN URGP=0 OPT (020405B403030001)
Jan 18 11:20:19 dexter kernel: SFW2-INext-DROP-DEFLT IN=wlan0 OUT= MAC=00:12:79:3e:c3:a5:00:0d:72:3e:0d:21:08:00 SRC=172.16.0.1 DST=172.16.1.34 LEN=48 TOS=0x00 PREC=0x00 TTL=255 ID=23306 DF PROTO=TCP SPT=53017 DPT=80 WINDOW=32768 RES=0x00 SYN URGP=0 OPT (020405B403030001)
Jan 18 11:20:21 dexter kernel: SFW2-INext-DROP-DEFLT IN=wlan0 OUT= MAC=00:12:79:3e:c3:a5:00:0d:72:3e:0d:21:08:00 SRC=172.16.0.1 DST=172.16.1.34 LEN=48 TOS=0x00 PREC=0x00 TTL=255 ID=23307 DF PROTO=TCP SPT=53017 DPT=80 WINDOW=32768 RES=0x00 SYN URGP=0 OPT (020405B403030001)
Jan 18 11:20:24 dexter kernel: SFW2-INext-DROP-DEFLT IN=wlan0 OUT= MAC=00:12:79:3e:c3:a5:00:0d:72:3e:0d:21:08:00 SRC=172.16.0.1 DST=172.16.1.34 LEN=48 TOS=0x00 PREC=0x00 TTL=255 ID=23308 DF PROTO=TCP SPT=53017 DPT=80 WINDOW=32768 RES=0x00 SYN URGP=0 OPT (020405B403030001)
Jan 18 11:20:30 dexter kernel: SFW2-INext-DROP-DEFLT IN=wlan0 OUT= MAC=00:12:79:3e:c3:a5:00:0d:72:3e:0d:21:08:00 SRC=172.16.0.1 DST=172.16.1.34 LEN=48 TOS=0x00 PREC=0x00 TTL=255 ID=26306 DF PROTO=TCP SPT=53017 DPT=80 WINDOW=32768 RES=0x00 SYN URGP=0 OPT (020405B403030001)
Jan 18 11:20:42 dexter kernel: SFW2-INext-DROP-DEFLT IN=wlan0 OUT= MAC=00:12:79:3e:c3:a5:00:0d:72:3e:0d:21:08:00 SRC=172.16.0.1 DST=172.16.1.34 LEN=48 TOS=0x00 PREC=0x00 TTL=255 ID=26307 DF PROTO=TCP SPT=53017 DPT=80 WINDOW=32768 RES=0x00 SYN URGP=0 OPT (020405B403030001)
Jan 18 11:21:07 dexter kernel: SFW2-INext-DROP-DEFLT IN=wlan0 OUT= MAC=00:12:79:3e:c3:a5:00:0d:72:3e:0d:21:08:00 SRC=172.16.0.1 DST=172.16.1.34 LEN=48 TOS=0x00 PREC=0x00 TTL=255 ID=26308 DF PROTO=TCP SPT=53017 DPT=80 WINDOW=32768 RES=0x00 SYN URGP=0 OPT (020405B403030001)

It looks like the router is pounding the firewall every few seconds?!

That’s weired. Do you forward port 80 on your router to your system? Then somebody from the internet tries to get to your system and expects a web server up and running. I suggest to check all forwarding rules on your router carefully.

I’m not precisely forwarding that port, but…port 80 is associated with ‘http’ service normally, correct? Well, http is one of the types of traffic allowed outbound in the router’s firewall configuration:

Inbound and Outbound Control
Checking the box allows the associated traffic type through the firewall.
Outbound
HTTP
HTTPS
FTP
Telnet
SMTP
DNS
POP3
IMAP
NNTP
IRC
H323
All Other Protocols

Inbound
Remote Management

…and all that is allowed. Seems like a lot of excess holes; the only thing unchecked is “NetBIOS”! This is just a small home LAN–web browsing, sharing files/folders and a printer, media center. Have to go over the whole network and see what’s needed, I suppose.

After unchecking Outbound HTTP and HTTPS–and most of the rest of the stuff–in the router’s firewall configuration, I was unable to surf the web. Moreover, SUSE’s firewall log still filled with similar messages.

After a year of this post, i realise that i have the same **** on my dmesg.
But it wasnt always there.

Did you solved this thing?

Could it be possible related to a Linksis AP?
As silentstone says, there is nothing weird on the configuration.
Just a normal internet sharing service.

No that i have to constantly look at dmesg, its getting annoying.

Same thing occurting with a raid server that is openSUSE 11.1. I have two Windows XP sp3 users who save backups there, using samba, and my openSUSE 12.2 system that I nfs to the various partitions. All of them are identified by IP in the message, yet there does not seem to be any fail to function. The firewall setup has not changed, and the 11.1 server has, obviously, had no updates since before the messages started, about mid year.

On 12/30/2012 10:06 AM, johnlb2002 wrote:
>
> Same thing occurting with a raid server that is openSUSE 11.1. I have
> two Windows XP sp3 users who save backups there, using samba, and my
> openSUSE 12.2 system that I nfs to the various partitions. All of them
> are identified by IP in the message, yet there does not seem to be any
> fail to function. The firewall setup has not changed, and the 11.1
> server has, obviously, had no updates since before the messages started,
> about mid year.

I read the forum through NNTP, and I do not have access to anything other than
these two posts, thus I have no idea what the drop messages say. Are they UDP or
IP? What source and destination ports? This is yet another reason NOT to
piggyback on someone else’s thread.

Once we know the messages are benign, we can get rid of them with a sledgehammer
approach and turn off the firewall, or we can tune the firewall to stop them
from logging.