Over the last few months, I''ve noticed log entries that appear to be part of established connections: Shorewall:fw2net:ACCEPT:IN= OUT=eth0 SRC=206.253.95.97 DST=131.15.48.58 LEN=1400 TOS=0x00 PREC=0x00 TTL=64 ID=56805 DF PROTO=TCP SPT=80 DPT=19052 WINDOW=1768 RES=0x00 ACK PSH URGP=0 We seem to get these entries for our highest volume services like web and dns but I''ve occasionally seen them for others. The Shorewall logging documentation says that packets for established connections are accepted and cannot be logged... can someone explain what might be happening here? I''d like to understand why these are showing up in case I have something misconfigured. Thanks, -Tom ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Tom Lisjac wrote:> Over the last few months, I''ve noticed log entries that appear to be > part of established connections: > > Shorewall:fw2net:ACCEPT:IN= OUT=eth0 SRC=206.253.95.97 DST=131.15.48.58 > LEN=1400 TOS=0x00 PREC=0x00 TTL=64 ID=56805 DF PROTO=TCP SPT=80 > DPT=19052 WINDOW=1768 RES=0x00 ACK PSH URGP=0 > > We seem to get these entries for our highest volume services like web > and dns but I''ve occasionally seen them for others. The Shorewall > logging documentation says that packets for established connections > are accepted and cannot be logged... can someone explain what might be > happening here? I''d like to understand why these are showing up in > case I have something misconfigured. >Netfilter doesn''t think that this packet is part of an established connection. I would have to know more about your configuration (hint: output of "shorewall status") before I could comment further. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key