On 21 Sep 2001, at 10:30, [EMAIL PROTECTED] wrote:
> If you are looking for clues about incoming packets, also look at
> the source address. We seem to have a lot of packets which use a
> well-known in source port to attempt to evade simple packet filters
> that allow "established" conections on well-knows ports (http on
> port 80/tcp for instance). In these instances the destination port
> is not that important (generally just slightly > 1024 or >32000).
> The intruders are attempting network mapping looking for the FIN
> versus RST flags.
I've also seen extraneous packets logged at the firewall when, for
instance, an internal client has dropped a connection while data was
en route from the external server -- the firewall has seen the RST
from the client, so when it sees an inbound packet a moment later, it
doesn't match any current session.
(Logging even permitted activity gives you some context in which to
see whther this is happening, or if something else is going on, such
as the mapping scenario above.)
David Gillett
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
