[ previous ] [ next ] [ threads ]
 
 From:  Denis Mirassou <Mirassou at cict dot fr>
 To:  Matthew Steinblock <matthew at mksolutions dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Log question
 Date:  Fri, 11 Feb 2005 08:49:30 +0100 
Matthew Steinblock wrote:
> I am getting the following log entry pretty frequently lately.  
> 
> Act TIME            If  Source                 Destination
> Proto
> X17 22:21:53.381441 DMZ 192.168.1.100, port 80 152.163.100.139, port
> 38345 TCP  
> 
> The X means blocked.  What does the 17 mean.  Most entries do not have a
> number under Act, while others will have anything from 2 to 17.  
> 
> The DMZ is set up to allow everything except LAN.  Why is this being
> blocked?  Why always a bunch of these entries together with just one
> port difference? 
> 
> Thanks!
>  
> 
> Matthew Steinblock
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

Hi,

The "17" means, I think, that this event repeats 17 times.
Traffic from IP 192.168.1.100, port 80 coming from your DMZ interface To 
destination address 152.163.100.139 port TCP 38345 is blocked.
You have a firewall rule that blocks and log that, review your firewall 
rules.

Maybe It could be http responses from a web server 192.168.1.100 port 80 
to a client 152.163.100.139 ?

Regards

Denis


-- 
         /\
      /\/  \
  O  / / Denis Mirassou
@|~|  Service Réseaux
/ \| Centre Interuniversitaire de Calcul de Toulouse (C.I.C.T)