[ale] Iptables: Packets from port 80 to unestablished ports
Transam
bob at verysecurelinux.com
Tue Jul 29 21:56:30 EDT 2003
On Tue, Jul 29, 2003 at 07:51:54PM -0500, Kevin Krumwiede wrote:
> On Sat, 19 Jul 2003 11:47:01 -0400
> Mike Millson <mmillson at meritonlinesystems.com> wrote:
> > I have noticed a number of packets that my iptables firewall is dropping
> > from port 80 because they are unrelated to an established connection.
> > For example:
> > 07/19-08:52:53 kernel: ?INPUT:IN=ppp0 OUT= MAC= SRC=208.217.109.66
> > DST=68.157.175.145 LEN=1452 TOS=0x00 PREC=0x00 TTL=50 ID=60713 DF
> > PROTO=TCP SPT=80 DPT=35552 WINDOW=9648 RES=0x00 ACK URGP=0
> > This is a legitimate site that I was visiting, so I revisited the site
> > and logged all packets. It appears that several times per visit the web
> > server sends one of these ACK packets to a port that has not previously
> > been used in the conversation.
> I've always seen this in my logs. CNN's site is (or was) one that does this. No idea why.
If it's Winbloz IIS, it may be violating the TCP protocol in such a way
that response time to a IE client is faster than not violating the TCP
protocol but sending to anyone else that follows the protocol is slower.
Also, some firewalls get upset.
I forget the particulars but this may be an example.
Bob Toxen
bob at verysecurelinux.com [Please use for email to me]
http://www.verysecurelinux.com [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
"Microsoft: Unsafe at any clock speed!"
-- Bob Toxen 10/03/2002
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list