[ previous ] [ next ] [ threads ]
 From:  "Matthew Steinblock" <matthew at mksolutions dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Log question
 Date:  Fri, 11 Feb 2005 08:53:17 -0500
That is strange, as I have only one rule in the DMZ, just as specified in the documentation.

Permit DMZ to * BUT LAN  

The only thing getting blocked should be something from the DMZ going to LAN, not WAN.

Matthew Steinblock


Mobile Computer Specialists

PO Box 341
Auburn, NE 68305


-----Original Message-----
From: Denis Mirassou [mailto:Mirassou at cict dot fr] 
Sent: Friday, February 11, 2005 1:50 AM
To: Matthew Steinblock
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Log question

Matthew Steinblock wrote:
> I am getting the following log entry pretty frequently lately.  
> Act TIME            If  Source                 Destination
> Proto
> X17 22:21:53.381441 DMZ, port 80, port
> 38345 TCP
> The X means blocked.  What does the 17 mean.  Most entries do not have 
> a number under Act, while others will have anything from 2 to 17.
> The DMZ is set up to allow everything except LAN.  Why is this being 
> blocked?  Why always a bunch of these entries together with just one 
> port difference?
> Thanks!
> Matthew Steinblock
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


The "17" means, I think, that this event repeats 17 times.
Traffic from IP, port 80 coming from your DMZ interface To destination address port TCP 38345 is blocked.
You have a firewall rule that blocks and log that, review your firewall rules.

Maybe It could be http responses from a web server port 80 to a client



      /\/  \
  O  / / Denis Mirassou
@|~|  Service Réseaux
/ \| Centre Interuniversitaire de Calcul de Toulouse (C.I.C.T)