[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Scan for web-servers
The packets shouldn't be logged twice. Most likely, the packets dropped by the deny all rule were SYN packets, which would be allowed to traverse the rulebase looking for a match. The subsequent packets dropped by rule 0 were probably something other than SYN packets (SYN-ACK, ACK, etc) that were being dropped due to no entry being in the state table. -----Original Message----- From: Reed Mohn, Anders [mailto:[email protected]] Sent: Friday, May 18, 2001 8:48 AM To: Fw-1-Mailinglist (E-mail) Subject: [FW1] Scan for web-servers Someone performed a scan of our network, on port 80, the other day. The logs funny, could someone please enlighten me a little? First I logged a lot of drops by my last "deny all" rule, for a group of IP addresses. Then followed drops by rule 0 ("unknown established TCP packet"), for the same IP addresses, same source port. Why both rules? Is there anything in FW-1 that would cause these packets to be logged twice, or were there simply two packets sent to each IP? Cheers, Anders RM :) ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|