Date: Tue, 11 Dec 2001 14:37:54 -0300 (ART) From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar> To: Darryl Hoar <darryl@osborne-ind.com> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: Firewall_logs Message-ID: <20011211142245.V93662-100000@cactus.fi.uba.ar> In-Reply-To: <001201c18264$8257b0d0$0701a8c0@darryl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 11 Dec 2001, Darryl Hoar wrote: > Greetings, > I was needing some help to decode the following: > > Dec 11 00:19:38 darryl ipmon[95]: 00:19:36.910691 xl0 @0:2 b > jgirls.net[66.40.23.76],http -> 192.168.1.209,4882 PR tcp len 20 > 1492 -A 2216807764 128781 8312 IN > > Log entry at 12:19:38 am on machine Darryl by ipmon process (PID 95). > It came IN on interface xl0. It was from jgirls.net The ip address > is 66.40.23.76. It was an http request that came from my internal > machine 209. After that, I'm lost. @0:2 : group 0, rule 2. b : the action. Block in this case. PR tcp: PRoto tcp len 20 40: lenght of the header (20) and the whole packet (1492). -A : TCP flags. Ack, Fin, Rst, Push, Syn, Urg. This was a single Ack. The three numbers after the -A Are Ack#, Seq# and window size. Without knowing your ruleset, I can't say why this packet got blocked, but it can be that the state entry (asuming you keep state on outgoing connections) expired before the corresponding NAT entry. I also see some of those log entries when I renew the dhcp lease of my cable modem. > > Talked with user of machine 209 and he swears on a stack of bibles > he wasn't here at 12:19am. I'm not sure I believe him. Well, maybe he left the session open and the browser was in one of those sites which do "server push". Several news sites do this. Hope this helps Fer > > thanks for any help. > > -Darryl > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011211142245.V93662-100000>