> Sorry - I misread your posting at first - I realise now you were saying that > the firewall in front of the spoofed address never saw the first packet, so > it drops the second one. Sorry, probably my writing is not clear enough... > However, the above log entry is from the firewall in front of the web server - > as far as it is concerned, it saw the first packet, and it saw the second > packet. I'm not sure there's an explanation yet for why it decided to drop > and log the second packet. I am afraid now you did not misread my posting. You simply did not read the rest of it, because it is in there. Summary: it drops the retransmitted syn-acks after 60 secs. Akos -- Akos Szalkai <szalkai@xxxxx> IT Consultant, CISA 2F 2000 Szamitastechnikai es Szolgaltato Kft. Tel: (+36-1)-4887700 Fax: (+36-1)-4887709 WWW: http://www.2f.hu/
