This one has stumped me!
Checked my logs this morning and found a connection to FTPD from local
host 127.0.0.1. This was allowed vi netperm-table (FWTK).
Further checks reviled no interactive login at that time on the host.
I have not found any other records in the logs about other process's
other than HTTPD at the same time.
Could this indicate...
A. Some how an ftp/gopher via HTTP came back at its self?
Could it have originated local host after all?
B. Packets with destination address of <firewall> source address of
<127.0.0.1> and return route to <some where on net> were received.
I have updated netperm-table to disallow 127.0.0.1. This by its self
would make recording scenario <B> attacks harder to identify.
I have added filter rules to internet choke router to drop incoming
packets with source address of <firewall> and <127.0.0.1>. I think
this will remove threat of scenario <B> but are still left wondering
where the ftp from local host actually came from.
Any thoughts comments welcome.