> Eduard Ballester <[EMAIL PROTECTED]> [2003-11-12 13:53]: > > Hi > > We have a lot of strange log entry in our NetScreen FireWall: > ------------------------------------------------ Nov 12 11:42:51 > 172.20.125.1 NSNAME: NetScreen device_id=NSNAME > [MYISP]system-notification-00257(traffic): start_time="2003-11-12 > 11:42:10" duration=0 policy_id=51 service=tcp/port:20158 proto=6 src > zone=Trust-XXX dst zone=Untrust action=Deny sent=0 rcvd=0 > src=62.XX.YYY.ZZZ dst=80.58.50.239 src_port=80 dst_port=20158 > ------------------------------------------------ > > * 62.XX.YYY.ZZZ is a server with Apache1.3.x that it only serves > static pages. * All the NICs have Public IP Address. > > > Internet > | > | > NetScreen > | > | > Alteon(load balance) > |_____________________ > | | | | > Apache1 ... ApacheN > > > > Do you know why Apache has this behavior? Why Apache initiates the > connections with src_port 80 and random dst_port? >
Apache does not initiate the connection. It listens on Port 80. Whenever it sends out a reply to a connection, of course, it sends back off port 80. Exactly this is what you see in your log: src=62.XX.YYY.ZZZ -> dst=80.58.50.239 src_port=80 -> dst_port=20158 HTH. Otherwise ask. wbr, Lukas -- Lukas Ruf | Wanna know anything about raw | <http://www.lpr.ch> | IP? <http://www.rawip.org> | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
