Hi, This traffic is blocked on the external interface of the firewall.
May 17 11:34:56.013614 rule 7/(match) block in on em1: 66.220.151.124.47369 > xxx.yyy.ddd.zzz.53: 58106 NS? . (19) May 17 11:34:56.763086 rule 7/(match) block in on em1: 66.220.151.124.47369 > xxx.yyy.ddd.zzz.53: 58107 NS? . (19) May 17 11:34:57.513318 rule 7/(match) block in on em1: 66.220.151.124.47369 > xxx.yyy.ddd.zzz.53: 58108 NS? . (19) May 17 11:45:37.720155 rule 7/(match) block in on em1: 69.171.243.241 > xxx.yyy.ddd.zzz: icmp: echo request May 17 11:45:39.213492 rule 7/(match) block in on em1: 69.171.243.241.52370 > xxx.yyy.ddd.zzz.53: 33246 NS? . (19) May 17 11:49:39.746886 rule 7/(match) block in on em1: 69.171.228.232 > xxx.yyy.ddd.zzz: icmp: echo request May 17 11:49:41.242588 rule 7/(match) block in on em1: 69.171.228.232.59470 > xxx.yyy.ddd.zzz.53: 33554 NS? . (19) xxx.yyy.ddd.zzz is our firewall IP 66.220.151.124, 69.171.243.241, 69.171.228.232 are IPs from facebook.com domain as ip2location reports. Why should facebook servers access my firewall? They ping my firewall and try to use our internal DNS server DNS server which is not mentioned in any public NS record? I wonder if these machines in the facebook.com domain are infected with some malware bots? Oris it part of their security checks or something? Any body any idea? Thanks Siju