Re: help with log entries

["Steve () frij com" <steve () frij com>]

I might be wrong, but

These packets looks like the target servers are rejecting connections from
the clients a.b.c.d (or closing connections) and your firewall isn't
allowing packets with those flags back into the connecting client.

The ones with target port 25 and a external source address looks like the
SMTP is closing the connection on you, and your firewall is rejecting it
too.

Just a guess based on the flags set and port numbers ...




----- Original Message -----
From: "David M. Fetter" <david.fetter () fetterconsulting com>
To: <aduenas () skytel com co>
Cc: <security-basics () securityfocus com>
Sent: Friday, February 28, 2003 1:29 PM
Subject: Re: help with log entries


> It looks like those external ip addresses are being denied by your
> firewall to connect to the inside.  All the from ports are 110 which is
> pop email, so it's almost like those people are trying to send relay
> traffic or something over your connection, but again it's being denied.
>
> aduenas () skytel com co wrote:
> > Hi,
> >
> > I am getting some confusing log entries from my Cisco Pix firewall. At
> > first I thought that it was a network problem but I don't have any other
> > evidence to support that assumption.
> >
> > The log entries look like this. Destination IP addresses changed....
> >
> > Feb 26 15:32:49 firewall %PIX-6-106015: Deny TCP (no connection) from
> > 161.58.238.151/110 to a.b.c.d/3782 flags RST ACK  on interface outside
> > Feb 26 15:32:50 firewall %PIX-6-106015: Deny TCP (no connection) from
> > 161.58.238.151/110 to a.b.c.d/3783 flags RST PSH ACK  on interface
> > outside
> > Feb 26 15:32:50 firewall %PIX-6-106015: Deny TCP (no connection) from
> > 200.24.76.3/110 to a.b.c.d/3796 flags RST ACK  on interface outside
> > Feb 26 15:32:51 firewall %PIX-6-106015: Deny TCP (no connection) from
> > 200.24.76.8/110 to a.b.c.d/3768 flags RST ACK  on interface outside
> > Feb 26 15:33:02 firewall %PIX-6-106015: Deny TCP (no connection) from
> > 66.35.250.206/59231 to 10.10.10.4/25 flags RST  on interface outside
> > Feb 26 15:33:02 firewall %PIX-6-106015: Deny TCP (no connection) from
> > 66.35.250.206/59231 to 10.10.10.4/25 flags RST  on interface outside
> > Feb 26 15:33:04 firewall %PIX-6-106015: Deny TCP (no connection) from
> > 66.35.250.206/59231 to 10.10.10.4/25 flags RST PSH ACK  on interface
> > inside
> > Feb 26 15:33:46 firewall %PIX-6-106015: Deny TCP (no connection) from
> > 161.58.238.151/110 to a.b.c.d/3843 flags RST ACK  on interface outside
> > Feb 26 15:33:46 firewall %PIX-6-106015: Deny TCP (no connection) from
> > 161.58.238.151/110 to a.b.c.d/3845 flags RST ACK  on interface outside
> > Feb 26 15:33:46 firewall %PIX-6-106015: Deny TCP (no connection) from
> > 161.58.238.151/110 to a.b.c.d/3847 flags RST ACK  on interface outside
> > Feb 26 15:33:46 firewall %PIX-6-106015: Deny TCP (no connection) from
> > 161.58.238.151/110 to a.b.c.d/3846 flags RST ACK  on interface outside
> > Feb 26 15:33:48 firewall %PIX-6-106015: Deny TCP (no connection) from
> > 200.24.76.8/110 to a.b.c.d/3830 flags RST ACK  on interface outside
> > Feb 26 15:33:51 firewall %PIX-6-106015: Deny TCP (no connection) from
> > 200.24.76.3/110 to a.b.c.d/3860 flags RST ACK  on interface outside
> >
> > If anyone has any clues or suggestions I would be most grateful!
>
>
> --
> David M. Fetter - http://www.fetterconsulting.com/
>
> "The world is full of power and energy and a person can go far by just
> skimming off a tiny bit of it." Neal Stephenson - Snow Crash