Firewall Wizards mailing list archives
PIX dropping packets with source port 80
From: LazloCarreidas () netscape net
Date: Tue, 25 May 2004 12:44:14 -0400
My fellow experts, We have a cluster of PIX 525. Since the upgrade of the PIX OS to 6.3(3), we get lots of 106023 messages, such as %PIX-4-106023: Deny tcp src DMZ:aaa.bbb.ccc.ddd (asite.adomain.atld) /80 dst inside:OurProxy/37568 by access-group "acl_DMZ" Conceptually, this is correct, since we certainly don't have any ACL allowing an external host to open a port on our internal proxy. However, the behaviour here seems to be that connections opened by the proxy on the Web site are dropped when coming back (note source port 80) by that ACL (more exactly, by the default rule that drops everything on this access-group). More or less, it appears as "TCP out of sync" messages in CheckPoint jargon. I have looked over the outbound connections, and seen that they are indeed opened by the PIX from the proxy to the destination Web site. For the persons who uses the proxy, there is no issue... However, I would like to get rid of these unuseful messages that drown the useful ones. And this has appeared only since we upgraded to 6.3(3). As one of you experimented that already ? Thank you for your precious help Lazlò __________________________________________________________________ Introducing the New Netscape Internet Service. Only $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX dropping packets with source port 80 LazloCarreidas (May 25)
- Re: PIX dropping packets with source port 80 Martin Mačok (May 27)