|
||||||||
On Fri, 11 Feb 2005, Denis Mirassou wrote: > Matthew Steinblock wrote: > > I am getting the following log entry pretty frequently lately. > > > > Act TIME If Source Destination > > Proto > > X17 22:21:53.381441 DMZ 192.168.1.100, port 80 152.163.100.139, port > > 38345 TCP > > > > The X means blocked. What does the 17 mean. Most entries do not have a > > number under Act, while others will have anything from 2 to 17. > > > > The DMZ is set up to allow everything except LAN. Why is this being > > blocked? Why always a bunch of these entries together with just one > > port difference? > The "17" means, I think, that this event repeats 17 times. Yes - a simple "compression" hack. > Traffic from IP 192.168.1.100, port 80 coming from your DMZ interface To > destination address 152.163.100.139 port TCP 38345 is blocked. > You have a firewall rule that blocks and log that, review your firewall > rules. Not necessarily. > Maybe It could be http responses from a web server 192.168.1.100 port 80 > to a client 152.163.100.139 ? Yes, and quite possibly blocked due to an IPFilter bug, if that connection would have been allowed. Fred Wright |