From: Tom E. <te...@sh...> - 2004-06-11 23:50:48
|
Bil...@kp... wrote: > Any idea what this is ? This is my webserver at my.real.ip.3 (the > firewall - in the DMZ) The 66.68.89.21 appears to be a Road Runner DSL > customer. In looking at the main firewall, another shorewall box at > my.real.ip.2 Their are NO entries (10 minutes either before or after) on > that box. > > Jun 10 22:03:18 dns1 kernel: Shorewall:fw2net:ACCEPT:IN= OUT=eth0 > SRC=my.real.ip.3 DST=66.68.89.21 LEN=569 TOS=0x00 PREC=0x00 TTL=64 > ID=12896 DF PROTO=TCP SPT=80 DPT=4689 WINDOW=37960 RES=0x00 ACK PSH FIN > URGP=0 Look at http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html under TCP and "Connection termination". It looks as though your server's conntrack entry was deleted but the connection wasn't really terminated so the "FIN+ACK" wasn't considered part of an established connection. Given the lossy nature of the internet, these things happen. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... |