Rodrigo,
I've seen this before. It happened when my customer had multiple routed
paths. The original request packet went around the firewall and the
reply came back through the firewall. What you may be seeing is the
reply packet, but since the firewall has no state memory about this
session, it is logging it as the request packet for a new session.
David Helms
Rodrigo Ormonde wrote:
>
> > I don't see what is strange about this...
> > It appears to be the normal condition whereby hosts on the 200.239.39.*
> > net are accessing port 80 on a target machine, and to complete the
> > connection the target machine connects to a random port on the source
> > machine.
>
> Ok. But what kind of httpd server does this kind of thing ? I've never
> heard about web servers starting connections to the clients. I always
> supposed that all connections on a http transfer were iniciated by the client,
> and you're now saying they're not.
>
> Any comments ?
>
> > On Wed, 18 Dec 1996, Rodrigo Ormonde wrote:
> >
> > > Hi.
> > >
> > > I'm configuring a firewall for my company and when I checked the log file,
> > > I discovered some strange connection requests. A small part of the log
> > > follows:
> > >
> > > Time / Protocol / Source IP / Source Port / Destination IP / Destination Port
> > >
> > > Dec 16 10:52:24 firewall: TCP 200.255.159.33 80 200.239.39.15 1148
> > > Dec 16 11:12:26 firewall: TCP 200.246.5.65 80 200.239.39.15 1158
> > > Dec 16 11:12:27 firewall: TCP 200.246.5.65 80 200.239.39.15 1158
> > > Dec 16 11:13:37 firewall: TCP 200.246.5.65 80 200.239.39.15 1178
> > > Dec 16 11:13:37 firewall: TCP 200.246.5.65 80 200.239.39.15 1178
> > > Dec 16 11:16:11 firewall: TCP 200.18.93.135 80 200.239.39.21 1196
> > > Dec 16 11:16:19 firewall: TCP 200.18.93.135 80 200.239.39.21 1204
> > > Dec 16 11:16:22 firewall: TCP 200.18.93.135 80 200.239.39.21 1203
> > > Dec 16 11:16:23 firewall: TCP 200.18.93.135 80 200.239.39.21 1203
> > > Dec 16 14:04:37 firewall: TCP 206.64.127.43 80 200.239.39.21 1342
> > > Dec 16 14:07:36 firewall: TCP 207.88.210.19 80 200.239.39.21 1348
> > > Dec 16 14:09:01 firewall: TCP 207.88.210.19 80 200.239.39.21 1348
> > > Dec 16 14:10:16 firewall: TCP 207.88.210.19 80 200.239.39.21 1351
> > > Dec 16 14:13:07 firewall: TCP 207.88.210.19 80 200.239.39.21 1351
> > >
> > > The firewall has blocked all these connections (and many others like
> > > these).
> > >
> > > What I found strange is that all the connections came from port 80, the
> > > httpd port. I have accessed these sites and everything appears to be ok,
> > > even with the firewall blocking the incoming connections.
> > >
> > > Does anyboy can explain me why (and under what conditions) the web server
> > > starts a connection to the client ? Is this kind of behavior normal ?
> > >
> > > Thanks in advance.
>
> --
> Rodrigo de La Rocque Ormonde
> e-mail: ormonde @
cnt .
org .
br
> PGP Public key: finger ormonde @
cnt .
org .
br
--
__________________________________
David Helms
Senior Technical Consultant
CheckPoint Software Technologies
ph 703.684.4824
fx 703.684.4847
davidh @
checkpoint .
com
__________________________________
References:
|
|
