lots of UDP_IN Blocked errors

Question

Since I have reinstalled my OS, I'm getting lots of UDP_IN Blocked errors in my messages log. Can anyone kindly explain what the error say exactly and what I can do to get rid of this error.

Aug  8 22:02:19 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:f6:f3:49:7e:0a:54:08:00 SRC=178.162.xxx.xx DST=178.162.xxx.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=128 ID=11061 PROTO=UDP SPT=17500 DPT=17500 LEN=111
Aug  8 22:02:22 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:ba:08:45:88:fc:a1:08:00 SRC=192.168.x.xx DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=13132 PROTO=UDP SPT=58878 DPT=1947 LEN=48
Aug  8 22:02:49 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:f6:f3:49:7e:0a:54:08:00 SRC=178.162.xxx.xx DST=255.255.255.255 LEN=131 TOS=0x00 PREC=0x00 TTL=128 ID=12046 PROTO=UDP SPT=17500 DPT=17500 LEN=111
Aug  8 22:02:49 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:f6:f3:49:7e:0a:54:08:00 SRC=178.162.xxx.xx DST=178.162.xxx.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=128 ID=12047 PROTO=UDP SPT=17500 DPT=17500 LEN=111
Aug  8 22:03:01 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:ba:08:45:88:fc:a1:08:00 SRC=192.168.x.xx DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=13134 PROTO=UDP SPT=58878 DPT=1947 LEN=48
Aug  8 22:03:12 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:62:83:46:e6:0d:15:08:00 SRC=178.162.xxx.xxx DST=255.255.255.255 LEN=115 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=5678 DPT=5678 LEN=95
Aug  8 22:03:19 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:f6:f3:49:7e:0a:54:08:00 SRC=178.162.xxx.xx DST=255.255.255.255 LEN=131 TOS=0x00 PREC=0x00 TTL=128 ID=13070 PROTO=UDP SPT=17500 DPT=17500 LEN=111
Aug  8 22:03:19 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:f6:f3:49:7e:0a:54:08:00 SRC=178.162.xxx.xx DST=178.162.xxx.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=128 ID=13071 PROTO=UDP SPT=17500 DPT=17500 LEN=111
Aug  8 22:03:39 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:ba:08:45:88:fc:a1:08:00 SRC=192.168.x.xx DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=13136 PROTO=UDP SPT=58878 DPT=1947 LEN=48

Issuing the iptables-save yields the following:

# Generated by iptables-save v1.4.7 on Fri Aug  8 16:42:05 2014
*mangle
:PREROUTING ACCEPT [158298:41039552]
:INPUT ACCEPT [131187:38557000]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [79668:17293129]
:POSTROUTING ACCEPT [79637:17291305]
COMMIT
# Completed on Fri Aug  8 16:42:05 2014
# Generated by iptables-save v1.4.7 on Fri Aug  8 16:42:05 2014
*nat
:PREROUTING ACCEPT [93313:9541674]
:POSTROUTING ACCEPT [896:63899]
:OUTPUT ACCEPT [896:63899]
COMMIT
# Completed on Fri Aug  8 16:42:05 2014
# Generated by iptables-save v1.4.7 on Fri Aug  8 16:42:05 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:ALLOWIN - [0:0]
:ALLOWOUT - [0:0]
:CONNLIMIT - [0:0]
:DENYIN - [0:0]
:DENYOUT - [0:0]
:INVALID - [0:0]
:INVDROP - [0:0]
:LOCALINPUT - [0:0]
:LOCALOUTPUT - [0:0]
:LOGDROPIN - [0:0]
:LOGDROPOUT - [0:0]
:PORTFLOOD - [0:0]
-A INPUT -s 8.8.4.4/32 ! -i lo -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -s 8.8.4.4/32 ! -i lo -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -s 8.8.4.4/32 ! -i lo -p tcp -m tcp --sport 53 -j ACCEPT 
-A INPUT -s 8.8.4.4/32 ! -i lo -p udp -m udp --sport 53 -j ACCEPT 
-A INPUT -s 4.2.2.4/32 ! -i lo -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -s 4.2.2.4/32 ! -i lo -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -s 4.2.2.4/32 ! -i lo -p tcp -m tcp --sport 53 -j ACCEPT 
-A INPUT -s 4.2.2.4/32 ! -i lo -p udp -m udp --sport 53 -j ACCEPT 
-A INPUT ! -i lo -j LOCALINPUT 
-A INPUT -i lo -j ACCEPT 
-A INPUT ! -i lo -p tcp -j INVALID 
-A INPUT ! -i lo -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name 22 --rsource 
-A INPUT ! -i lo -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 250 --hitcount 2 --name 22 --rsource -j PORTFLOOD 
-A INPUT ! -i lo -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 32 -j CONNLIMIT 
-A INPUT ! -i lo -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT 
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT 
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT 
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT 
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT 
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT 
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT 
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2222 -j ACCEPT 
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 46734 -j ACCEPT 
-A INPUT ! -i lo -p udp -m state --state NEW -m udp --dport 20 -j ACCEPT 
-A INPUT ! -i lo -p udp -m state --state NEW -m udp --dport 21 -j ACCEPT 
-A INPUT ! -i lo -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT 
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT 
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT 
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A INPUT ! -i lo -j LOGDROPIN 
-A OUTPUT -d 8.8.4.4/32 ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT 
-A OUTPUT -d 8.8.4.4/32 ! -o lo -p udp -m udp --dport 53 -j ACCEPT 
-A OUTPUT -d 8.8.4.4/32 ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT 
-A OUTPUT -d 8.8.4.4/32 ! -o lo -p udp -m udp --sport 53 -j ACCEPT 
-A OUTPUT -d 4.2.2.4/32 ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT 
-A OUTPUT -d 4.2.2.4/32 ! -o lo -p udp -m udp --dport 53 -j ACCEPT 
-A OUTPUT -d 4.2.2.4/32 ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT 
-A OUTPUT -d 4.2.2.4/32 ! -o lo -p udp -m udp --sport 53 -j ACCEPT 
-A OUTPUT ! -o lo -j LOCALOUTPUT 
-A OUTPUT ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT 
-A OUTPUT ! -o lo -p udp -m udp --dport 53 -j ACCEPT 
-A OUTPUT ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT 
-A OUTPUT ! -o lo -p udp -m udp --sport 53 -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT ! -o lo -p tcp -j INVALID 
-A OUTPUT ! -o lo -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT 
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT 
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT 
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT 
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT 
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 113 -j ACCEPT 
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 2222 -j ACCEPT 
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 46734 -j ACCEPT 
-A OUTPUT ! -o lo -p udp -m state --state NEW -m udp --dport 20 -j ACCEPT 
-A OUTPUT ! -o lo -p udp -m state --state NEW -m udp --dport 21 -j ACCEPT 
-A OUTPUT ! -o lo -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT 
-A OUTPUT ! -o lo -p udp -m state --state NEW -m udp --dport 113 -j ACCEPT 
-A OUTPUT ! -o lo -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT 
-A OUTPUT ! -o lo -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A OUTPUT ! -o lo -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A OUTPUT ! -o lo -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A OUTPUT ! -o lo -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A OUTPUT ! -o lo -j LOGDROPOUT 
-A ALLOWIN -s 37.254.xxx.xxx/32 ! -i lo -j ACCEPT 
-A ALLOWOUT -d 37.254.xxx.xxx/32 ! -o lo -j ACCEPT 
-A CONNLIMIT -p tcp -j REJECT --reject-with tcp-reset 
-A DENYIN -s 97.77.xxx.xxx/32 ! -i lo -j DROP 
-A DENYOUT -d 97.77.xxx.xxx/32 ! -o lo -j LOGDROPOUT 
-A INVALID -m state --state INVALID -j INVDROP 
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j INVDROP 
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j INVDROP 
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j INVDROP 
-A INVALID -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j INVDROP 
-A INVALID -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j INVDROP 
-A INVALID -p tcp -m tcp --tcp-flags FIN,ACK FIN -j INVDROP 
-A INVALID -p tcp -m tcp --tcp-flags PSH,ACK PSH -j INVDROP 
-A INVALID -p tcp -m tcp --tcp-flags ACK,URG URG -j INVDROP 
-A INVALID -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j INVDROP 
-A INVDROP -j DROP 
-A LOCALINPUT ! -i lo -j ALLOWIN 
-A LOCALINPUT ! -i lo -j DENYIN 
-A LOCALOUTPUT ! -o lo -j ALLOWOUT 
-A LOCALOUTPUT ! -o lo -j DENYOUT 
-A LOGDROPIN -p tcp -m tcp --dport 67 -j DROP 
-A LOGDROPIN -p udp -m udp --dport 67 -j DROP 
-A LOGDROPIN -p tcp -m tcp --dport 68 -j DROP 
-A LOGDROPIN -p udp -m udp --dport 68 -j DROP 
-A LOGDROPIN -p tcp -m tcp --dport 111 -j DROP 
-A LOGDROPIN -p udp -m udp --dport 111 -j DROP 
-A LOGDROPIN -p tcp -m tcp --dport 113 -j DROP 
-A LOGDROPIN -p udp -m udp --dport 113 -j DROP 
-A LOGDROPIN -p tcp -m tcp --dport 135:139 -j DROP 
-A LOGDROPIN -p udp -m udp --dport 135:139 -j DROP 
-A LOGDROPIN -p tcp -m tcp --dport 445 -j DROP 
-A LOGDROPIN -p udp -m udp --dport 445 -j DROP 
-A LOGDROPIN -p tcp -m tcp --dport 500 -j DROP 
-A LOGDROPIN -p udp -m udp --dport 500 -j DROP 
-A LOGDROPIN -p tcp -m tcp --dport 513 -j DROP 
-A LOGDROPIN -p udp -m udp --dport 513 -j DROP 
-A LOGDROPIN -p tcp -m tcp --dport 520 -j DROP 
-A LOGDROPIN -p udp -m udp --dport 520 -j DROP 
-A LOGDROPIN -p tcp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP_IN Blocked* " 
-A LOGDROPIN -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP_IN Blocked* " 
-A LOGDROPIN -p icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP_IN Blocked* " 
-A LOGDROPIN -j DROP 
-A LOGDROPOUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP_OUT Blocked* " --log-uid 
-A LOGDROPOUT -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP_OUT Blocked* " --log-uid 
-A LOGDROPOUT -p icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP_OUT Blocked* " --log-uid 
-A LOGDROPOUT -j DROP 
-A PORTFLOOD -m limit --limit 30/min -j LOG --log-prefix "Firewall: *Port Flood* " 
-A PORTFLOOD -j DROP 
COMMIT
# Completed on Fri Aug  8 16:42:05 2014

Since I have used CSF for configuring my firewall, I will attach only the lines I have touched.

TESTING = "0"

TESTING_INTERVAL = "5"

RESTRICT_SYSLOG = "3"

RESTRICT_SYSLOG_GROUP = "mysyslog"

RESTRICT_UI = "1"

AUTO_UPDATES = "1"

TCP_IN = "20,21,22,25,53,80,110,443,587,995,2222,46734"

TCP_OUT = "20,21,22,25,53,80,110,113,443,2222,46734"

UDP_IN = "20,21,53"

UDP_OUT = "20,21,53,113,123"

ICMP_IN = "1"

ICMP_IN_RATE = "1/s"

ICMP_OUT = "1"

ICMP_OUT_RATE = "0"

IPV6 = "1"

IPV6_ICMP_STRICT = "0"

IPV6_SPI = "1"

TCP6_IN = "20,21,22,25,53,80,110,443,587,995,2222"

TCP6_OUT = "20,21,22,25,53,80,110,113,443,2222"

UDP6_IN = "20,21,53"

UDP6_OUT = "20,21,53,113,123"

ETH_DEVICE = ""

ETH6_DEVICE = ""

ETH_DEVICE_SKIP = ""

USE_CONNTRACK = "0"

SYSLOG_CHECK = "600"

IGNORE_ALLOW = "0"

DNS_STRICT = "0"

DNS_STRICT_NS = "0"

DENY_IP_LIMIT = "200"

DENY_TEMP_IP_LIMIT = "100"

LF_DAEMON = "1"

LF_CSF = "1"

Answer 1

You shouldn't run iptables-save since you run CSF and the rules are managed through /etc/csf/csf.conf. The issue is that you don't have port 17500 UDP whitelisted and that's why you're seeing the connections dropped. Those are either infected machines or simply machines running Dropbox (most likely) according to http://www.speedguide.net/port.php?port=17500

The same for the other ports, they're simply not whitelisted so that's why you're seeing them as dropped.

Answer 2

Well, I wouldn't say your firewall is misconfigured...

Having Drop as default Policy is always fine it just means everything which is not explicitly allowed gets dropped. The only problem is the logging here.

I don't know why, but you have LOGDROP rules defined for some ports (e.g. 520), which means that a connection to (LOGDROPIN) or from (LOGDROPOUT) this port gets dropped AND logged, and that's what causes your log-flooding (you can be happy that it is limited to 30 logs/min by your firewall rules). You can just get rid of those entries as the ports specified are already dropped by your default policy.

Make sure that only ports you actually use are being accepted, because for what I'm seeing here is that your firewall is open for DNS, Mail (110,995,587,25) FTP, SSH, HTTP and HTTPS, also Ports 2222 (could be DirectAdmin) and 46734 (no idea).

So in the right order:

1. Do an iptables-save > /root/firewall
2. Open this file (/root/firewall) and get rid of the logdrop entries (with vi or nano etc.)
3. Do iptables-restore < /root/firewall
4. iptables-save

I don't know which OS you're on but if you didn't configure these firewall rules yourself you might want to load those firewall settings on every startup.

You gotta give some additional information on this, because the answer I gave you will solve your problem but won't help if there is an external program manipulating your firewall (e.g. a GUI-Software). Interesting information would be:

• which OS are you using?
• are you using a special kind of hardware?
• how did you set up the firewall?
• for what purpose do you use the machine?