This question has been answered before many times. Check the archives. Basically what you are seeing are most likely late packets returning from a web server that was contacted by some host behind the GNAT Box. The f=0x11 are the TCP flags (hex 11) on the packet, (check the archives for the description of these flags). I think you'll find this is something like an ACK OR'd with a FIN or something similar.
The reason for the blocks are because the packets did not return in the alotted time and thus the connection was removed from the state table in the GNAT Box kernel. When the packets arrive on the GNAT Box's external NIC, the system has no record of them and hence they are blocked. If these messages bother you, simply create a remote access filter like this: Block but don't log late web server packets Deny TCP EXT nolog 0.0.0.0/0.0.0.0 80 0.0.0.0/0.0.0.0 This filter of course will not block good packets since the stateful inspection will process the packets before the Remote Access filter gets them. Paul >Send postings to: [EMAIL PROTECTED] >Access the list archives at: >http://www.gnatbox.com/gb-users/ >---------------------------------- > Hi Rob, >i asked about this a ways back and got nada from the group but >here's what I have learnt since: > >The unix experts where I work could not really explain it to me but >did show what was happening. >lots of web sites have one address as a front door that you first >connect to and they then redirect the connection to those same ports >that were opened but from another IP address. I think its so that >they can have specific IPs deal with specific requests. > > I also get this all the time in my log. It seems to be mainly >associated with secure transactions but not always. Amazon certainly >does it as does hotmail. The part I don't understand is why there is >not some kind of redirection message sent back to our hosts so that >they can open up the connection from our end. I tried to track if >there was any RIP messages associated but didn't trap any. >Also I was thinking that there might be some tricky way to set a >filter that would allow redirects but only from the same IP block. >Not sure what the security implicationjs of that would be... >perhaps some knowledgable person here can help us gain insight.... >-- > >On Sat, 26 Feb 2000 11:49:13 Rob Genovesi wrote: >>Send postings to: [EMAIL PROTECTED] >>Access the list archives at: >>http://www.gnatbox.com/gb-users/ >>---------------------------------- >>My turn to ask .... why do so many webservers try to make connections back >>to the clients? My logfile fills up with plenty of the such: >> >>Feb 26 11:44:50 dslNAT.coastside.net FILTER: Remote access filter blocks: >>TCP ed1 [208.202.218.144/80]->[63.196.11.50/41152] l=0 f=0x11. >>Feb 26 11:44:52 dslNAT.coastside.net FILTER: Remote access filter blocks: >>TCP ed1 [208.202.218.144/80]->[63.196.11.50/41059] l=1460 f=0x10. >>Feb 26 11:44:52 dslNAT.coastside.net FILTER: Remote access filter blocks: >>TCP ed1 [208.202.218.144/80]->[63.196.11.50/41059] l=837 f=0x19. >> >>Any guesses as to what is happening here? The site in question here is >>amazon.com, but I get messages like this from all over the place. >> >>Thanks, >> >> Rob >> >>---------------------------------------------- >>To Unsubscribe: send mail to [EMAIL PROTECTED] >>with "unsubscribe gb-users your_email_address >>in the body of the message >> > > >--== Sent via Deja.com http://www.deja.com/ ==-- >Share what you know. Learn what you don't. >---------------------------------------------- >To Unsubscribe: send mail to [EMAIL PROTECTED] >with "unsubscribe gb-users your_email_address >in the body of the message ------------------------------------------------------------------------- Paul Emerson Tel: +1.407.380.0220 x106 Global Technology Associates, Inc. Fax: +1.407.380.6080 3505 Lake Lynda Drive Mobile: +1.407.310.8564 Suite 109 Pager: +1.888.440.8232 Orlando, Florida 32817 Email: [EMAIL PROTECTED] USA Web: http://www.gta.com Mobile Email: [EMAIL PROTECTED] -------------------------------------------------------------------------
