> I have seen these as well. I just opened source and dest port 25 for my > smtp server - but some servers seem to have their source all over the > place - I got rid of the port restriction on the smtp and no more errors. > I would have liked to lock it down to 25/25, but ...
The source port can (and will) change with each connection. That's normal, and does not negatively affect the way the firewall works. But for standard email (or practically any other protocol, for that matter), the destination port will _always_ be the same. SMTP is destination port 25, period. How else would the sending server know what port to connect to on the destination? Connection attempts to any other port are going to be the result of a misconfigured server (on the sending side), a port scan, or an intrustion attempt. You don't want to accept any of these. Also, the source port being 25 doesn't mean it's SMTP. It could be (and probably is) an attempt to disguise the true payload. That IP address belongs to excite.com -- I'll bet they're doing what doubleclick does. When you connect to them, they port scan you back. They claim to do this to determine which server (geographically speaking) is best to answer your request. Check your logs again. I'll wager that, just before these errors occur, you find an outgoing (PRO->EXT or PSN->EXT) web browse to that IP. Everytime one of your users hits that server, it hits them back... But man, don't open up services just to get rid of error messages in your log files, jeez, that's crazy. Would you rather have errors in your logs or intruders in your servers? -- Alex Howansky Wankwood Associates http://www.wankwood.com/
