Re:

[dwelch () uswestmail net]

> From my experience, this is FireWall-1 seeing traffic on connections it thinks that have already closed (probably a 
> stray "FIN" packet). It is safe to drop and ignore these packets.

-- Dameon

On Fri, 03 December 1999, Joel Snider wrote:

> I have been using a Checkpoint Firewall-1 to protect
> my DMZ from the Internet.  Since installation I have
> noticed that my webservers which are on the DMZ behind
> the firewall seem to be connecting to multitudes of
> Internet host unsolicited. The destination port seems
> to be random, but often increments.  The source port
> from web servers is always 80 or 443.  As I have added
> webservers this condition has gotten unbearable
> because of the massive amount of info in the log
> files.  I do not allow unlimited access from the DMZ
> to the Internet so these packets are getting dropped
> at the firewall. I have checked with the web
> developement team and they say that they are not doing
> anything with the servers that would cause this.  I
> know that I could filter out these events and not log
> them, but I want to understand what is happening first
> and look for other alternatives.  Please let me know
> if you have seen this before.

--
Dameon D. Welch, a.k.a. PhoneBoy (dwelch () phoneboy com)
Check Point FireWall-1 FAQs at http://www.phoneboy.com/fw1/
The views expressed herein are not necessarily those of anyone else.
--
Signup for your free USWEST.mail Email account http://www.uswestmail.net