[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Log question
 Date:  Sun, 13 Feb 2005 17:24:32 -0800 (PST)
On Fri, 11 Feb 2005, Denis Mirassou wrote:
> Matthew Steinblock wrote:
> > I am getting the following log entry pretty frequently lately.  
> > 
> > Act TIME            If  Source                 Destination
> > Proto
> > X17 22:21:53.381441 DMZ 192.168.1.100, port 80 152.163.100.139, port
> > 38345 TCP  
> > 
> > The X means blocked.  What does the 17 mean.  Most entries do not have a
> > number under Act, while others will have anything from 2 to 17.  
> > 
> > The DMZ is set up to allow everything except LAN.  Why is this being
> > blocked?  Why always a bunch of these entries together with just one
> > port difference? 

> The "17" means, I think, that this event repeats 17 times.

Yes - a simple "compression" hack.

> Traffic from IP 192.168.1.100, port 80 coming from your DMZ interface To 
> destination address 152.163.100.139 port TCP 38345 is blocked.
> You have a firewall rule that blocks and log that, review your firewall 
> rules.

Not necessarily.

> Maybe It could be http responses from a web server 192.168.1.100 port 80 
> to a client 152.163.100.139 ?

Yes, and quite possibly blocked due to an IPFilter bug, if that connection
would have been allowed.

					Fred Wright