Hi.
I'm configuring a firewall for my company and when I checked the log file,
I discovered some strange connection requests. A small part of the log
follows:
Time / Protocol / Source IP / Source Port / Destination IP / Destination Port
Dec 16 10:52:24 firewall: TCP 200.255.159.33 80 200.239.39.15 1148
Dec 16 11:12:26 firewall: TCP 200.246.5.65 80 200.239.39.15 1158
Dec 16 11:12:27 firewall: TCP 200.246.5.65 80 200.239.39.15 1158
Dec 16 11:13:37 firewall: TCP 200.246.5.65 80 200.239.39.15 1178
Dec 16 11:13:37 firewall: TCP 200.246.5.65 80 200.239.39.15 1178
Dec 16 11:16:11 firewall: TCP 200.18.93.135 80 200.239.39.21 1196
Dec 16 11:16:19 firewall: TCP 200.18.93.135 80 200.239.39.21 1204
Dec 16 11:16:22 firewall: TCP 200.18.93.135 80 200.239.39.21 1203
Dec 16 11:16:23 firewall: TCP 200.18.93.135 80 200.239.39.21 1203
Dec 16 14:04:37 firewall: TCP 206.64.127.43 80 200.239.39.21 1342
Dec 16 14:07:36 firewall: TCP 207.88.210.19 80 200.239.39.21 1348
Dec 16 14:09:01 firewall: TCP 207.88.210.19 80 200.239.39.21 1348
Dec 16 14:10:16 firewall: TCP 207.88.210.19 80 200.239.39.21 1351
Dec 16 14:13:07 firewall: TCP 207.88.210.19 80 200.239.39.21 1351
The firewall has blocked all these connections (and many others like
these).
What I found strange is that all the connections came from port 80, the
httpd port. I have accessed these sites and everything appears to be ok,
even with the firewall blocking the incoming connections.
Does anyboy can explain me why (and under what conditions) the web server
starts a connection to the client ? Is this kind of behavior normal ?
Thanks in advance.
--
Rodrigo de La Rocque Ormonde
e-mail: ormonde @
cnt .
org .
br
PGP Public key: finger ormonde @
cnt .
org .
br
|
|
