On Saturday 13 December 2003 2:00 pm, Akos Szalkai wrote:
> > Dec 11 22:58:52 lucy kernel: Fwd DMZ->Internet DROP: IN=eth1 OUT=ppp0
> > SRC=192.168.254.242 DST=204.157.6.223 LEN=60 TOS=0x00 PREC=0x00 TTL=63
> > ID=56169 DF PROTO=TCP SPT=80 DPT=56319 WINDOW=32476 RES=0x00 ACK SYN
> > URGP=0
>
> I have also been seeing this kind of logs on our web server, and this is
> my explanation. Probably it is an incoming HTTP connection (ie. SYN
> packet) from a spoofed source address (204.157.6.223 in this case).
> Your web server sends a syn-ack response, which the firewall in front of
> 204.157.6.223 silently drops (since it never saw the first packet of the
> connection).
If the firewall never saw the first packet, how did it get to the web server?
It doesn't matter whether the source IP is spoofed or not, the only way for a
packet to get to the web server should be through the firewall, and both will
see the same source address, neither knows whether it's genuine or not.
Antony.
--
There are two possible outcomes:
If the result confirms the hypothesis, then you've made a measurement.
If the result is contrary to the hypothesis, then you've made a discovery.
- Enrico Fermi
Please reply to the list;
please don't CC me.
