As long as I understand reasons for droping packets on rule 0 are:
1.Connectiones established before policy was loaded
2.Connections established before fw was loaded.
3. Connections which were inactive longer than the timeout specified in policy
properties.
4.Antispoofing rules
5.SYN
I implemented some setup (alerts+rule) that allows me not to log those scanning
attempts,thus preventing my log from being overflooded.
BUT: some port-scanning attacks are dropped on a rule 0 and that I cannot explain......
Non of the reasons mentioned above don't look good enough to explain why those attaks
are dropped by rule 0. If anyone has some info,please share it.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
