RE: strange log entries

Michael W. Burden Tue, 11 Jul 2000 09:18:14 -0400 (EDT)

This is one of the things that will definitely be in the FAQ
if it ever gets written  :)


What is happening is that one of the machines on your LAN
(possibly the DMZ, but more likely the PRO) is connecting to
a website on the Internet.  The website in question responds
slowly (either because it is under a heavy load or because of
a lot of traffic on parts of the Internet between your
network and the webserver).  By the time that the response
finally comes back, the machine that requested it has timed
out, and the GNAT Box is no longer expecting the reply.
Because the GNAT Box no longer has an entry in the state table
for the connection, it is treated as an unsolicited connection
and blocked.


The default filter set (at least under 3.0.2 and 3.0.3) includes
a filter similar to:

  #DEFAULT: Block/nolog stale WWW accesses.
       Deny   ANY TCP  nolog
          from "ANY_IP" 80
            to "ANY_IP" 1024:65535

that prevents "late" replies from generating alarm messages.

Since you started getting the messages at the same time that
you converted from NAT to IP Passthrough, I'm guessing that
a filter like this didn't get added to the new configuration.

Mike Burden
Lynk Systems
(616)532-4985
[EMAIL PROTECTED]


> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Simon Yeo
> Sent: Monday, July 10, 2000 9:04 PM
> To: [EMAIL PROTECTED]
> Subject: strange log entries
>
>
> --------------------- Attention -----------------------------
> Online GNAT Box User Forum is Now Open
> Click the Register link and sign up today
> http://www.gnatbox.com/cgi-bin/Ultimate.cgi
> -------------------------------------------------------------
> Send postings to: [EMAIL PROTECTED]
> Access the list archives at: http://www.gnatbox.com/gb-users/
> -------------------------------------------------------------
> We recently converted to NAT from IP-passthru, and started getting a bunch
> of these log entries:
>
> -----------
>      ALARM NO: 5
>          DATE: Monday, Jul 10, 2000
>          TIME: 17:14:11
>     INTERFACE: EXT (xl0)
>    ALARM TYPE: Block
>     IP PACKET: TCP  [a.b.c.d/80]-->[w.x.y.z/33242]  l=1460 f=0x10
>
> DETAILED DESCRIPTION:
> IP packet was rejected.
> ----------
>
> w.x.y.z is the ip-addr of our external interface, and a.b.c.d is
> some random
> web site (in most cases).  Why are these seemingly getting
> blocked?  What's
> wierder is that none of our users are having any problems surfing the web.
>
> Thanks,
> -Simon
>
> ----------------------------------------------
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe gb-users your_email_address
> in the body of the message

RE: strange log entries

Reply via email to