RE: Help me interpret these log entries....

["Paul Melson" <pmelson () gmail com>]

-----Original Message-----
Subject: [fw-wiz] Help me interpret these log entries....

> I am seeing many of the following lines in the logs from my PIX:
>
> %PIX-4-106100: access-list 101 denied tcp outside/s.s.s.s(80) ->
inside/d.d.d.d(xxx)
> where 1024 < xxx < 65535
>
>
> The closest thing I can think of is that this is some sort of TCP reset
attack. Is this 
> correct?

Actually, it's probably not an attack at all.  It's a common symptom of TCP
connections over stateful firewalls.  Look through your log and you will
probably see within close proximity a permit entry (Built TCP ...) from
d.d.d.d to s.s.s.s.  Although if d.d.d.d is a global NAT address, you will
probably see the original client address and a source port that doesn't
match (because source ports change with global NAT / PAT).

What happens is that the firewall has already seen the client close the
connection (either via RST or FIN) and has deleted the entry from the state
table.  The server tries to send FIN+ACK like it's supposed to, but isn't
fast enough and the firewall drops the packet because it doesn't match
anything in the state table.

More here:

http://seclists.org/lists/firewall-wizards/2005/Jun/0054.html


PaulM




_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards