I have looked, and I am either not phrasing my searches correctly on the
search engines or there is not a great deal of information on this.

I am seeing many of the following lines in the logs from my PIX:

%PIX-4-106100: access-list 101 denied tcp outside/s.s.s.s(80) -> inside/d.d.d.d(xxx)

where 1024 < xxx < 65535

And also, I have seen other ports other than 80 used as the source port
(eg: 443, 25)

The closest thing I can think of is that this is some sort of TCP reset
attack. Is this correct?

The next questions are should I be worried and what should I do about it?

I am thinking of adding a rule to explicitly block inbound traffic from
the internet on these source ports and not bother logging it. That
shouldn't affect traffic from these ports for outbound established
connections (right?) and cut down the noise in my logs. I don't want to
kill any functionality from inside->out and I also don't want to blind
myself to a real threat.

Anybody care to share an opinion on this?


firewall-wizards mailing list