I am running a Unifi UDM Pro with IPS and Geo IP filtering turned on. I am seeing a rather continuous series of entries in the /var/log/messages file if I tail it. The alert body reads ALIEN BLOCK and the inbound connection is ETH=08, my WAN. I am trying to understand what this traffic is, and which facility is actually causing the block – IPS or conventional WAN IN firewall rules. The IP addresses seem to vary routinely, and the destination port (DPT) also varies. This feels like external Internet traffic attempting to hot my WAN IP, but if this is being precipitated by something on the LAN side of my network, I would like to loo deeper to see if something on the inside is triggering the external attempts.
Can anyone help identify what this traffic might be, and perhaps suggest what I look at on the LAN side to make sure I have nothing internal as the root cause?
I have attached a brief screen shot as to how these message look on the logs. I truncated a portion of the message showing my WAN IP.
Thanks!
