[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Scan for web-servers

To: "'Todd Cravens'" <[email protected]>, "Reed Mohn, Anders" <[email protected]>, "Fw-1-Mailinglist (E-mail)" <[email protected]>
Subject: RE: [FW1] Scan for web-servers
From: "Reed Mohn, Anders" <[email protected]>
Date: Tue, 22 May 2001 11:44:39 +0200
Sender: [email protected]



Thanks, Todd.

I figured it would be something like that,
but I wasn't sure since I expected any normal
connecting client to wait for the SYN-ACK before
sending anything else.

Cheers,
Anders :)





-----Original Message-----
From: Todd Cravens [mailto:[email protected]]
Sent: 21. mai 2001 17:59
To: 'Reed Mohn, Anders'; Fw-1-Mailinglist (E-mail)
Subject: RE: [FW1] Scan for web-servers



The packets shouldn't be logged twice.

Most likely, the packets dropped by the deny all rule were SYN packets,
which would be allowed to traverse the rulebase looking for a match.  The
subsequent packets dropped by rule 0 were probably something other than SYN
packets (SYN-ACK, ACK, etc) that were being dropped due to no entry being in
the state table.
 

-----Original Message-----
From: Reed Mohn, Anders [mailto:[email protected]]
Sent: Friday, May 18, 2001 8:48 AM
To: Fw-1-Mailinglist (E-mail)
Subject: [FW1] Scan for web-servers




Someone performed a scan of our network, on port 80,
the other day. 
The logs funny, could someone please enlighten me a little?

First I logged a lot of drops by my last "deny all" rule, for
a group of IP addresses.
Then followed drops by rule 0 ("unknown established TCP packet"),
for the same IP addresses, same source port.

Why both rules?

Is there anything in FW-1 that would cause these packets to be logged twice,
or were there simply two packets sent to each IP?

Cheers,
Anders RM :)


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Securemote Problem with "error. communcation to site has failed"
Next by Date: [FW1] Gateway-Gateway VPN including NAT
Prev by thread: RE: [FW1] Scan for web-servers
Next by thread: [FW1] Re: Unknown error while trying to connect to UFP'
Index(es):
- Date
- Thread