Firewall Wizards mailing list archives
RE: Help me interpret these log entries....
From: "Paul Melson" <pmelson () gmail com>
Date: Wed, 8 Mar 2006 09:40:57 -0500
-----Original Message----- Subject: [fw-wiz] Help me interpret these log entries....
I am seeing many of the following lines in the logs from my PIX: %PIX-4-106100: access-list 101 denied tcp outside/s.s.s.s(80) ->
inside/d.d.d.d(xxx)
where 1024 < xxx < 65535 The closest thing I can think of is that this is some sort of TCP reset
attack. Is this
correct?
Actually, it's probably not an attack at all. It's a common symptom of TCP connections over stateful firewalls. Look through your log and you will probably see within close proximity a permit entry (Built TCP ...) from d.d.d.d to s.s.s.s. Although if d.d.d.d is a global NAT address, you will probably see the original client address and a source port that doesn't match (because source ports change with global NAT / PAT). What happens is that the firewall has already seen the client close the connection (either via RST or FIN) and has deleted the entry from the state table. The server tries to send FIN+ACK like it's supposed to, but isn't fast enough and the firewall drops the packet because it doesn't match anything in the state table. More here: http://seclists.org/lists/firewall-wizards/2005/Jun/0054.html PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Help me interpret these log entries.... Bob (Mar 07)
- RE: Help me interpret these log entries.... Matt Wagner (Mar 07)
- RE: Help me interpret these log entries.... Mathew Want (Mar 07)
- RE: Help me interpret these log entries.... Paul Melson (Mar 08)