Shorewall users - Sep 2003 - So I can ignore "newnotsyn" log, right?

Hello,
I am a new shorewall user, upon recommendation by some people in Redhat user 
mailing list. So far I''m impressed with how easy to set this up and the
good
documentation / Quick Start up guide.

Just have a quick question. I get some "newnotsyn" logs from some
hosts in my
LAN and from outside host for destination port 80 and 25. They can be ignore, 
right? 
I have port 80 and 25 open since I''m running web + mail server. 

I just want to make sure I don''t miss something, and please forgive my 
ignorant since I am new to this firewall and netfilter. 

By the way, what would cause a "newnotsyn" package? As far as I know,
the user
in the host (LAN) that got log just doing regular browsing to my web server.

RDB

-- 
Reuben D. Budiardja
601 Nielsen Physics Building
Department of Physics and Astronomy
The University of Tennessee, Knoxville, TN
(865) 974-8284

Reuben:
 Have a look at Faq # 17
http://shorewall.sourceforge.net/FAQ.htm

On 8 Sep 2003 at 16:18, Reuben D. Budiardja wrote:
> 
> Hello,
> I am a new shorewall user, upon recommendation by some people in
> Redhat user mailing list. So far I''m impressed with how easy to
set
> this up and the good documentation / Quick Start up guide.
> 
> Just have a quick question. I get some "newnotsyn" logs from some
> hosts in my LAN and from outside host for destination port 80 and 
25.
> They can be ignore, right? I have port 80 and 25 open since I''m
> running web + mail server. 
> 
> I just want to make sure I don''t miss something, and please
forgive
my
> ignorant since I am new to this firewall and netfilter. 
> 
> By the way, what would cause a "newnotsyn" package? As far as I 
know,
> the user in the host (LAN) that got log just doing regular browsing 
to
> my web server.
> 
> RDB
> 
> -- 
> Reuben D. Budiardja
> 601 Nielsen Physics Building
> Department of Physics and Astronomy
> The University of Tennessee, Knoxville, TN
> (865) 974-8284
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> http://lists.shorewall.net/mailman/listinfo/shorewall-users 
Support:
> http://www.shorewall.net/support.htm FAQ:
> http://www.shorewall.net/FAQ.htm
> 

-- 
______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386

._______________________________________
John S. Andersen
NORCOM  mailto:JAndersen@norcomsoftware.com
Juneau, Alaska
http://www.screenio.com/

On Monday 08 September 2003 04:31 pm, John S. Andersen
wrote:
> Reuben:
>  Have a look at Faq # 17
> http://shorewall.sourceforge.net/FAQ.htm
I did look at it before I posted, but still don''t quite get it, as to
why I
get so many of these. The newnotsyn that I get a lot happens on the 
destination port 80 and 22.
Is there any good reason why I cannot just ignore them? 

Thanks.

RDB


> On 8 Sep 2003 at 16:18, Reuben D. Budiardja wrote:
> > Hello,
> > I am a new shorewall user, upon recommendation by some people in
> > Redhat user mailing list. So far I''m impressed with how easy
to set
> > this up and the good documentation / Quick Start up guide.
> >
> > Just have a quick question. I get some "newnotsyn" logs from
some
> > hosts in my LAN and from outside host for destination port 80 and
>
> 25.
>
> > They can be ignore, right? I have port 80 and 25 open since
I''m
> > running web + mail server.
> >
> > I just want to make sure I don''t miss something, and please
forgive
>
> my
>
> > ignorant since I am new to this firewall and netfilter.
> >
> > By the way, what would cause a "newnotsyn" package? As far
as I
>
> know,
>
> > the user in the host (LAN) that got log just doing regular browsing
>
> to
>
> > my web server.
> >
> > RDB
> >
> > --
-- 
Reuben D. Budiardja
Department of Physics and Astronomy
The University of Tennessee, Knoxville, TN

On Tuesday 09 September 2003 05:28 am, Reuben D. Budiardja
wrote:
> On Monday 08 September 2003 04:31 pm, John S. Andersen wrote:
> > Reuben:
> >  Have a look at Faq # 17
> > http://shorewall.sourceforge.net/FAQ.htm
>
> I did look at it before I posted, but still don''t quite get it, as
to why I
> get so many of these. The newnotsyn that I get a lot happens on the
> destination port 80 and 22.
> Is there any good reason why I cannot just ignore them?
>
> Thanks.
 
In Shorewall.conf you can set it to drop them and not log them
which is what I do.  

-- 
John Andersen - NORCOM
http://www.norcomsoftware.com/

>>> "Reuben D. Budiardja"
<techlist@voyager.phys.utk.edu> 9/9/2003 7:28:19 AM >>>
On Monday 08 September 2003 04:31 pm, John S. Andersen
wrote:
> Reuben:
>  Have a look at Faq # 17
> http://shorewall.sourceforge.net/FAQ.htm 
>I did look at it before I posted, but still don''t quite get it, as
to why I
>get so many of these. The newnotsyn that I get a lot happens on the 
>destination port 80 and 22.
>Is there any good reason why I cannot just ignore them? 
>Thanks.
>RDB
Remember the three way TCP handshake -
See http://www.sans.org/rr/paper.php?id=373
1. The initiating host sends a SYN to the target  
2. The target responds with SYN ACK
3. The initiating host then replies with ACK

I suspect you restarted shorewall while your users were browsing
the internet and had ssh connections open. If that''s the case you can
probably ignore them. 

If you can''t explain why you are seeing the newnotsyn packets, I 
would look further, it could be a sign of something not right * there
are a lot of attack/recon techniques that use ack packets.
> On 8 Sep 2003 at 16:18, Reuben D. Budiardja wrote:
> > Hello,
> > I am a new shorewall user, upon recommendation by some people in
> > Redhat user mailing list. So far I''m impressed with how easy
to set
> > this up and the good documentation / Quick Start up guide.
> >
> > Just have a quick question. I get some "newnotsyn" logs from
some
> > hosts in my LAN and from outside host for destination port 80 and
>
> 25.
>
> > They can be ignore, right? I have port 80 and 25 open since
I''m
> > running web + mail server.
> >
> > I just want to make sure I don''t miss something, and please
forgive
>
> my
>
> > ignorant since I am new to this firewall and netfilter.
> >
> > By the way, what would cause a "newnotsyn" package? As far
as I
>
> know,
>
> > the user in the host (LAN) that got log just doing regular browsing
>
> to
>
> > my web server.
> >
> > RDB
> >
> > --