Am Fre, 2003-12-12 um 15.05 schrieb Jeffrey Laramie: > On Friday 12 December 2003 08:13, Chris Brenton wrote: > > On Thu, 2003-12-11 at 23:11, Ian Hunter wrote: > > > Dec 11 22:58:52 lucy kernel: Fwd DMZ->Internet DROP: IN=eth1 OUT=ppp0 > > > SRC=192.168.254.242 DST=204.157.6.223 LEN=60 TOS=0x00 PREC=0x00 TTL=63 > > > ID=56169 DF PROTO=TCP SPT=80 DPT=56319 WINDOW=32476 RES=0x00 ACK SYN > > > URGP=0 > > > > My "guess" is, you are receiving a SYN packet from 204.157.6.223. This > > creates a state table entry with with a 60 second timer. Your system is > > taking longer than 60 seconds to respond, so iptables is removing the > > state table entry. Your system then responds causing the log entry shown > > above. > > > > Hey Chris, > > Is it normal for the server to send the ACK SYN to a high dport? I wouldn't > have expected that. Yes, of course: client:56319 -SYN-> server:80 client:56319 <-ACK/SYN- server:80 client:56319 -ACK-> server:80 Connection established. Cheers, Ralf -- Ralf Spenneberg RHCE, RHCX Book: VPN mit Linux Book: Intrusion Detection für Linux Server http://www.spenneberg.com IPsec-Howto http://www.ipsec-howto.org Honeynet Project Mirror: http://honeynet.spenneberg.org
