There are no users on that box though, and it's not web browser traffic because the SOURCE port is 80, not the dest port, so this is web traffic being served by that box for sure... I've seen references to doing --reply-with tcp-reject to this sort of packet... ??? ----- Original Message ----- From: "Jeffrey Laramie" <JALaramie@xxxxxxxxxxxxxxxxxxx> To: "Ian Hunter" <ihunter@xxxxxxxxxxxxx>; <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Thursday, December 11, 2003 11:46 PM Subject: Re: Weird TCP flags? > On Thursday 11 December 2003 23:11, Ian Hunter wrote: > > OK, I have a router (lucy) with a webserver (192.168.254.242) in a DMZ (off > > eth1), and everything works fine -- when you hit my ip, you get the site, > > all is well. However, I get STORMS of this nonsense in my logs: > > > > Dec 11 22:58:52 lucy kernel: Fwd DMZ->Internet DROP: IN=eth1 OUT=ppp0 > > SRC=192.168.254.242 DST=204.157.6.223 LEN=60 TOS=0x00 PREC=0x00 TTL=63 > > ID=56169 DF PROTO=TCP SPT=80 DPT=56319 WINDOW=32476 RES=0x00 ACK SYN URGP=0 > > > > These have ACK SYN set so I doubt they have anything to do with established > connections. I would guess that this is a browser on the webserver itself > trying to connect to an outside site which your rules don't allow. In this > case: bart.routesys.com. > > Jeff
