Firewalls: Re[2]: Incoming TCP Packet with Port 80

Firewalls
(November 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re[2]: Incoming TCP Packet with Port 80 - More info
From:	arager @ mcgraw-hill . com
Date:	Tue, 19 Nov 96 15:07:03 edt
To:	firewalls @ greatcircle . com

     
     
     After posting yesterday, I have received several replies and have done 
     some more investigation.
     
     Several people have suggested that this could be caused by 
     cookies....Based on my understanding of client and server side cookies 
     I disagree.  Cookies are just special data or additional URL info 
     passed in a normal HTTP request/response.  The problem I see seems to 
     be initiated after the firewall has destroyed the user's 
     connection....Like the server is trying to re-establish the old 
     connection.  I know of lots of sites with cookies that have never 
     given me this problem.
     
     
     Here's what I am beginning to think the problem actually is.
     
     This problem is sometimes difficult to reproduce at will, but I think 
     it is caused by the proxy session timeouts. Proxies have session 
     establish timeouts [Sidewinder defaults to 30sec, unsure of others] 
     that destroy a connection attempt after a certain period.  What I 
     think is happening is that sometimes a site is _very_ slow to respond 
     to a request [more than 30sec in my case], and the firewall destroys 
     the connection pathway after the proxy times out.  When the server is 
     finally able to send the reply, the firewall logs it as a failed 
     attempt on an unauthorized dest port [your original source port from 
     the F/W] with an HTTP source port from the server [your original dest 
     port].
     
     Here's one way to test this [your mileage may vary, and your test 
     candidate may suffer for a bit]:
     
     -With Netscape [others would prob. work well also] pick a site outside 
     your proxy that already seems somewhat slow/busy [www.aol.com comes to 
     mind].
     -After loading the URL, hold down on <CTRL> <R> (reload) for about 30 
     seconds.  This will make gobs of requests and should make the server 
     really busy.
     -Netscape should show the message "connect: server xx.xx.com 
     contacted, waiting for reply" for at least 45secs.....wait a few 
     minutes [depends on the server] and take a look at your logs.  If you 
     didn't crash the server with this load, then you should see an entry 
     in your logs for a failed connection from your test host.
     
     
     I guess this problem could be reduced by increasing the proxy timeouts 
     to several minutes.....but what sort of risk does this pose?  
     
     
     Anton Rager
     arager @
 McGraw-Hill .
 com

Follow-Ups:

Re: Re[2]: Incoming TCP Packet with Port 80 - More info
From: "Stephen E. Shipman" <seshipma @ wixer . syrinx . org>

Indexed By Date	Previous:	Re: Administrating Firewalls From: Rabid Wombat <wombat @ mcfeely . bsfs . org>
Indexed By Date	Next:	Re: How secure is Firewall Toolkit? From: "Paul D. Robertson" <proberts @ clark . net>
Indexed By Thread	Previous:	Re: RouteD VS. GateD From: Adam Shostack <adam @ homeport . org>
Indexed By Thread	Next:	Re: Re[2]: Incoming TCP Packet with Port 80 - More info From: "Stephen E. Shipman" <seshipma @ wixer . syrinx . org>