I have a Zyxel Prestige ADSL router which does my NAT and is also a firewall.
I'm fairly happy that I have the firewall set up correctly, however I'd like to be able to interpret what I'm seeing in the router logs.
For example over the past few minutes I see lines like the following and some of them I don't really understand what's talking to what.
Aug 10 12:30:31 zyxel RAS: src="192.168.13.3:137" dst="192.168.13.255:137" msg="Firewall default policy: UDP (L to L/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"
OK, this is a Win2k computer on my LAN talking to the ISDN router, I can understand this. (The ISDN router is there for historical reasons, it's not used at the moment)
Aug 10 12:31:16 zyxel RAS: src="192.168.13.44" dst="224.0.0.251" msg="Firewall default policy: IGMP (L to L/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"
This is from a networked HP 7310 printer but I don't understand the dst address, where does 224.0.0.251 come from? It has no relation to my 192.168.13.xx subnet.
Aug 10 12:31:16 zyxel RAS: src="192.168.13.44" dst="224.0.1.60" msg="Firewall default policy: IGMP (L to L/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"
This (again from the printer) always appears immediately after the other printer one. Another 224.0.x.x destination.
Aug 10 12:33:34 zyxel RAS: src="61.55.188.229:3381" dst="84.51.144.229:1433" msg="Firewall default policy: TCP (W to W/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"
Now this I don't follow, it's from the 'outside' to the Zyxel router (I have the static IP 84.51.144.229 from my ISP). Is this a probe of some sort? The port numbers seem rather odd. Should the router be telling me what it's doing with this, e.g. is it blocked/refused?
Aug 10 12:34:26 zyxel RAS: src="82.76.43.200:1627" dst="84.51.144.229:1433" msg="Firewall default policy: TCP (W to W/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"
Another similar one.
Aug 10 12:34:54 zyxel RAS: src="192.168.13.1:32978" dst="200.23.51.205:123" msg="Firewall default policy: UDP (L to W)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"
This is my Linux box talking to cronos.cenam.mx, by the sound of the name it's probably asking what the time is using NTP. Yes, that's it, 123 is the NTP protocol, so I'm happy with this one.
Aug 10 12:34:59 zyxel RAS: src="218.94.232.240:2611" dst="84.51.144.229:1433" msg="Firewall default policy: TCP (W to W/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"
Another one to port 1433, which turns out to be "#Microsoft-SQL-Server" what on earth does this suggest?