Hmm, might it be that some wierd TCP stack does not set ACK in packets
where it acknowledges 0 bytes or something like that?
Try changing selection criteria from "No ACK" to "SYN", SYN has to be
set on initial packet...
______________________________ Reply Separator _________________________________
Subject: Re: Strange log in my Firewall
Author: ormonde @
trem .
cnt .
org .
br (Rodrigo Ormonde) at Internet
Date: 12/19/96 11:47 AM
> Rodrigo,
>
> This is probably due to dropped connections. The reply packets arrive at the
> firewall after the connection has terminated, probably at the request of the
> client (browser).
I don't think so. The firewall is configured to log only the connection
request packets (the ones without the ack flag set). If they were just reply
packets they wouldn't be logged. They must be incoming conenctions.
> If you log connection initiation from inside your domain you should be able to
> match up the log entries below with the corresponding outgoing connections
> earlier in the log.
>
> Steve
>
> > Hi.
> >
> > I'm configuring a firewall for my company and when I checked the log file,
> > I discovered some strange connection requests. A small part of the log
> > follows:
> >
> > Time / Protocol / Source IP / Source Port / Destination IP / Destination
Port
> >
> > Dec 16 10:52:24 firewall: TCP 200.255.159.33 80 200.239.39.15 1148
> > Dec 16 11:12:26 firewall: TCP 200.246.5.65 80 200.239.39.15 1158
> > Dec 16 11:12:27 firewall: TCP 200.246.5.65 80 200.239.39.15 1158
> > Dec 16 11:13:37 firewall: TCP 200.246.5.65 80 200.239.39.15 1178
> > Dec 16 11:13:37 firewall: TCP 200.246.5.65 80 200.239.39.15 1178
> > Dec 16 11:16:11 firewall: TCP 200.18.93.135 80 200.239.39.21 1196
> > Dec 16 11:16:19 firewall: TCP 200.18.93.135 80 200.239.39.21 1204
> > Dec 16 11:16:22 firewall: TCP 200.18.93.135 80 200.239.39.21 1203
> > Dec 16 11:16:23 firewall: TCP 200.18.93.135 80 200.239.39.21 1203
> > Dec 16 14:04:37 firewall: TCP 206.64.127.43 80 200.239.39.21 1342
> > Dec 16 14:07:36 firewall: TCP 207.88.210.19 80 200.239.39.21 1348
> > Dec 16 14:09:01 firewall: TCP 207.88.210.19 80 200.239.39.21 1348
> > Dec 16 14:10:16 firewall: TCP 207.88.210.19 80 200.239.39.21 1351
> > Dec 16 14:13:07 firewall: TCP 207.88.210.19 80 200.239.39.21 1351
> >
> > The firewall has blocked all these connections (and many others like
> > these).
> >
> > What I found strange is that all the connections came from port 80, the
> > httpd port. I have accessed these sites and everything appears to be ok,
> > even with the firewall blocking the incoming connections.
> >
> > Does anyboy can explain me why (and under what conditions) the web server
> > starts a connection to the client ? Is this kind of behavior normal ?
> >
> > Thanks in advance.
--
Rodrigo de La Rocque Ormonde
e-mail: ormonde @
cnt .
org .
br
PGP Public key: finger ormonde @
cnt .
org .
br
|
|
