On Sunday 28 July 2002 08:20 am, you wrote: > While looking at yesterday's events in /var/log/messages, I noticed a lot > of iptables messages for TCP:80 (http). Three ip address accounted for the > majority of the messages. One of the addresses, 63.209.80.235, happens to > be from mandrake.com > . Going to http://www.mandrake.com this morning, I saw several more of > these messages generated. Can someone explain why mandrake's website is > sending packets to me from TCP:80? > > Thanks. > > David > > > ### Here's a typical message: > > Jul 27 09:23:53 nic kernel: netmasq: fwall_eth1: accept: IN=eth1 OUT= > MAC=... SRC=... DST=... LEN=104 TOS=0x00 PREC=0x00 TTL=54 ID=55176 DF > PROTO=TCP SPT=80 DPT=2736 WINDOW=31728 RES=0x00 ACK PSH URGP=0
SPT = Source Port , DPT = Destination Port This is completely normal. Without going into too much detail, When you send packets to a web server, you'll send them with a DST port of 80 and a SRC port of some high port (2736 in this case). When the server replies to each of your packets, it sends them with a DST port of 2736 (in this case). So, the web server at mandrake isn't talking to you on port 80. It's talking to you on port 2736. (It's answering your requests.) *On a side note, each TCP session (and for a single web page there may be several) you'll likely see a different DST port. ~Brandon [EMAIL PROTECTED]
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
