Re: [Shorewall-users] Webserver to Firewall - Port 80 ?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Bil...@kp... wrote:
> Any idea what this is ?    This is my webserver  at   my.real.ip.3  (the 
> firewall - in the DMZ)    The 66.68.89.21  appears to be a Road Runner DSL 
> customer.  In looking at the main firewall, another shorewall box at 
> my.real.ip.2  Their are NO entries (10 minutes either before or after) on 
> that box.
> 
> Jun 10 22:03:18 dns1 kernel: Shorewall:fw2net:ACCEPT:IN= OUT=eth0 
> SRC=my.real.ip.3 DST=66.68.89.21 LEN=569 TOS=0x00 PREC=0x00 TTL=64 
> ID=12896 DF PROTO=TCP SPT=80 DPT=4689 WINDOW=37960 RES=0x00 ACK PSH FIN 
> URGP=0

Look at 
http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html 
under TCP and "Connection termination".

It looks as though your server's conntrack entry was deleted but the 
connection wasn't really terminated so the "FIN+ACK" wasn't considered 
part of an established connection. Given the lossy nature of the 
internet, these things happen.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ te...@sh...