Hi, I wrote a mail a few days ago concerning my setup with a front/back firewall, shorewall being front and ISA server 2004 acting as back firewall. I said that ISA server is logging some "intrusion attempts" namely requests coming from external interface to the internal network. As this shouldn''t happen (all intrusion attempts should be stopped by shorewall) I begun to study the ISA logs. Some pattern has emerged: A user on the internal network is browsing a site. After that, he closes the connection. A short time afterwards a request appears in the log that seems to be coming from the browsed site (port 80) and is directed at the ISA server host on some high port. Both firewalls (shorewall and ISA) are NAT-ing traffic. I suspect that the problem is related to the time to live of a connection or something similar but I would appreciate any suggestion on this matter. Please note that this happens only on *some* websites. Bellow you have an example from isa''s logs: [ISA server: 10.100.10.x User: 192.168.n.p Some website 212.X.63.254:80] ISA 2004-10-13 07:07:40 TCP 10.100.10.x:61925 212.X.63.254:80 10.100.10.X Local Host External Terminate 0x80074e20 - HTTP 71266 71266 223474 223474 - - - - 8555 239063 ISA 2004-10-13 07:07:40 TCP 192.168.n.p:1403 212.X.63.254:80 192.168.n.p Internal External Terminate 0x80074e24 web HTTP 0 0 128365 128365 113156 113156 - - 26580 239166 ISA 2004-10-13 07:07:40 TCP 192.168.n.p:1414 212.X.63.254:80 192.168.n.p Internal External Establish 0x0 web HTTP 0 0 0 0 - - - - 26580 239455 ISA 2004-10-13 07:07:40 TCP 10.100.10.x:62291 212.X.63.254:80 10.100.10.2 Local Host External Establish 0x0 - HTTP 0 0 0 0 - - - - 8555 239456 ISA 2004-10-13 07:07:40 TCP 10.100.10.x:62291 212.X.63.254:80 10.100.10.2 Local Host External Terminate 0x80074e20 - HTTP 1010 1010 1664 1664 - - - - 8555 239456 ISA 2004-10-13 07:07:40 TCP 192.168.n.p:1414 212.X.63.254:80 192.168.n.p Internal External Terminate 0x80074e24 web HTTP 0 0 ISA 2004-10-13 07:07:40 TCP 212.X.63.254:80 10.100.10.x:62291 212.X.63.254 External Local Host Denied 0xc0040017 - Unidentified IP Traffic 0 0 0 0 - - - - 0 0 --- Ligiu Uiorean departament IT - SANEX SA ligiu.uiorean@ro.lasselsberger.com tel. +40-740-116.117
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ligiu A. Uiorean wrote:> Hi, I wrote a mail a few days ago concerning my setup with a front/back > firewall, shorewall being front and ISA server 2004 acting as back > firewall. > > > > I said that ISA server is logging some "intrusion attempts" namely > requests coming from external interface to the internal network. > > As this shouldn''t happen (all intrusion attempts should be stopped by > shorewall) I begun to study the ISA logs. > > > > Some pattern has emerged: > > > > A user on the internal network is browsing a site. After that, he closes > the connection. A short time afterwards a request appears in the log > thatThese are not requests but rather are late-arriving replies.> > seems to be coming from the browsed site (port 80) and is directed at > the ISA server host on some high port. Both firewalls (shorewall and > ISA) > > are NAT-ing traffic. I suspect that the problem is related to the time > to live of a connection or something similar but I would appreciate any > > suggestion on this matter. >Ignore it -- while Netfilter TCP connections enter a TIME_WAIT state after closing, it appears that ISA stops tracking the connection immediately after FINs are exchanged (or its TIME_WAIT period is significantly shorter than Netfilter''s). Consequently, duplicate/late packets that are part of the closed session are treated as "intrusion attempts" by ISA rather than what they are -- artifacts of the way that the Internet works. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBbUBaO/MAbZfjDLIRApHiAJ4tIsEmOhbHkYkQTlsqoGGNIX82VQCeIzKc h+Exb7U2X2SqEwvqbXGL3TQ=TGZu -----END PGP SIGNATURE-----