From owner-freebsd-questions Tue Dec 11 9:39:21 2001 Delivered-To: freebsd-questions@freebsd.org Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by hub.freebsd.org (Postfix) with ESMTP id 3CBF337B7BB for ; Tue, 11 Dec 2001 09:38:56 -0800 (PST) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.11.6/8.11.6) with ESMTP id fBBHbsP97510; Tue, 11 Dec 2001 14:37:55 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Tue, 11 Dec 2001 14:37:54 -0300 (ART) From: Fernando Gleiser To: Darryl Hoar Cc: Subject: Re: Firewall_logs In-Reply-To: <001201c18264$8257b0d0$0701a8c0@darryl> Message-ID: <20011211142245.V93662-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 11 Dec 2001, Darryl Hoar wrote: > Greetings, > I was needing some help to decode the following: > > Dec 11 00:19:38 darryl ipmon[95]: 00:19:36.910691 xl0 @0:2 b > jgirls.net[66.40.23.76],http -> 192.168.1.209,4882 PR tcp len 20 > 1492 -A 2216807764 128781 8312 IN > > Log entry at 12:19:38 am on machine Darryl by ipmon process (PID 95). > It came IN on interface xl0. It was from jgirls.net The ip address > is 66.40.23.76. It was an http request that came from my internal > machine 209. After that, I'm lost. @0:2 : group 0, rule 2. b : the action. Block in this case. PR tcp: PRoto tcp len 20 40: lenght of the header (20) and the whole packet (1492). -A : TCP flags. Ack, Fin, Rst, Push, Syn, Urg. This was a single Ack. The three numbers after the -A Are Ack#, Seq# and window size. Without knowing your ruleset, I can't say why this packet got blocked, but it can be that the state entry (asuming you keep state on outgoing connections) expired before the corresponding NAT entry. I also see some of those log entries when I renew the dhcp lease of my cable modem. > > Talked with user of machine 209 and he swears on a stack of bibles > he wasn't here at 12:19am. I'm not sure I believe him. Well, maybe he left the session open and the browser was in one of those sites which do "server push". Several news sites do this. Hope this helps Fer > > thanks for any help. > > -Darryl > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message