I have seen traffic like this as well. I thought (based on best guess) it
was a scan that tried to pierce non-stateful firewalls such as ipchains
where the rule for the outbound packet is a separate rule to the return
packet (and visa versa). Any other opinions?

Some legit (non malicious) traffic can appear like this just because the
service you are connecting to has taken too long to respond and the
connection has fallen out of the firewalls state table (more prevalent in
systems that have a pseudo state for UDP). The firewall will drop it anyway.
If you !LOG this traffic then you may have difficulties tracking these types
of issues, but it's the same with any decision to LOG or !LOG.

If the firewall is denying the traffic anyway, the only benefit I can see in
!LOG is a reduction in log volume. I would put it just above the last DENY
rule in the chain if it were me so as not to hamper any of the rules above

Hope this helps and is close....
Mathew Want
Network and Security Engineer
Phone: +61 2 9209 4600
"Some things are eternal by nature,
others by consequence"

-----Original Message-----
[] On Behalf Of Bob
Sent: Wednesday, 8 March 2006 1:22 AM
Subject: [fw-wiz] Help me interpret these log entries....

I have looked, and I am either not phrasing my searches correctly on the
search engines or there is not a great deal of information on this.

I am seeing many of the following lines in the logs from my PIX:

%PIX-4-106100: access-list 101 denied tcp outside/s.s.s.s(80) ->

where 1024 < xxx < 65535

And also, I have seen other ports other than 80 used as the source port
(eg: 443, 25)

The closest thing I can think of is that this is some sort of TCP reset
attack. Is this correct?

The next questions are should I be worried and what should I do about it?

I am thinking of adding a rule to explicitly block inbound traffic from
the internet on these source ports and not bother logging it. That
shouldn't affect traffic from these ports for outbound established
connections (right?) and cut down the noise in my logs. I don't want to
kill any functionality from inside->out and I also don't want to blind
myself to a real threat.

Anybody care to share an opinion on this?


firewall-wizards mailing list

firewall-wizards mailing list