On 19.12.2004 23:08 -0700, anders knudsen wrote:
> I've been steadily adding many large known spammer networks to the
> top of my firewall rules, blocking them completely...or so I
> I have a rule to block 220.127.116.11/8, and not log them, but just today
> got these entries. I would have expected these below to be silently
> @25 block in quick from 18.104.22.168/8 to any group 200
> FYI, my m0n0wall is running in PPPoE mode via a bridged DSL modem.
> Any ideas/comments?
These are TCP RSTs that probably came in without a SYN preceding
them, which is why the rule that ensures that all new TCP connections
must start with a SYN gets them (skip 1 in proto tcp from any to any
flags S/FSRA / block in log quick proto tcp from any to any).