Any idea what this is ? This is my webserver at my.real.ip.3 (the firewall - in the DMZ) The 66.68.89.21 appears to be a Road Runner DSL customer. In looking at the main firewall, another shorewall box at my.real.ip.2 Their are NO entries (10 minutes either before or after) on that box. Jun 10 22:03:18 dns1 kernel: Shorewall:fw2net:ACCEPT:IN= OUT=eth0 SRC=my.real.ip.3 DST=66.68.89.21 LEN=569 TOS=0x00 PREC=0x00 TTL=64 ID=12896 DF PROTO=TCP SPT=80 DPT=4689 WINDOW=37960 RES=0x00 ACK PSH FIN URGP=0 This webserver runs shorewall 1.4.10 (SuSE 9.0 - 2.4.21 kernel). eth0 goes directly to "main firewall" that does not run anything on port 80 via a crossover. Internet * * (eth0) Main Firewall (eth1) ****** Webserver (eth0) (eth2) * * Internal
Bill.Light@kp.org wrote:> Any idea what this is ? This is my webserver at my.real.ip.3 (the > firewall - in the DMZ) The 66.68.89.21 appears to be a Road Runner DSL > customer. In looking at the main firewall, another shorewall box at > my.real.ip.2 Their are NO entries (10 minutes either before or after) on > that box. > > Jun 10 22:03:18 dns1 kernel: Shorewall:fw2net:ACCEPT:IN= OUT=eth0 > SRC=my.real.ip.3 DST=66.68.89.21 LEN=569 TOS=0x00 PREC=0x00 TTL=64 > ID=12896 DF PROTO=TCP SPT=80 DPT=4689 WINDOW=37960 RES=0x00 ACK PSH FIN > URGP=0Look at http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html under TCP and "Connection termination". It looks as though your server''s conntrack entry was deleted but the connection wasn''t really terminated so the "FIN+ACK" wasn''t considered part of an established connection. Given the lossy nature of the internet, these things happen. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Bill.Light@kp.org wrote:> Any idea what this is ? This is my webserver at my.real.ip.3 (the> firewall - in the DMZ) The 66.68.89.21 appears to be a Road RunnerDSL> customer. In looking at the main firewall, another shorewall box at > my.real.ip.2 Their are NO entries (10 minutes either before or after)on> that box. > > Jun 10 22:03:18 dns1 kernel: Shorewall:fw2net:ACCEPT:IN= OUT=eth0 > SRC=my.real.ip.3 DST=66.68.89.21 LEN=569 TOS=0x00 PREC=0x00 TTL=64 > ID=12896 DF PROTO=TCP SPT=80 DPT=4689 WINDOW=37960 RES=0x00 ACK PSH FIN > URGP=0Look at http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html under TCP and "Connection termination". It looks as though your server''s conntrack entry was deleted but the connection wasn''t really terminated so the "FIN+ACK" wasn''t considered part of an established connection. Given the lossy nature of the internet, these things happen. -Tom Thanks for the prompt answer as usual Tom - you''re the best ! - Bill