Thanks! That explains it perfectly. -simon
----- Original Message ----- From: "Michael W. Burden" <[EMAIL PROTECTED]> To: "Simon Yeo" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, July 11, 2000 6:10 AM Subject: RE: strange log entries > --------------------- Attention ----------------------------- > Online GNAT Box User Forum is Now Open > Click the Register link and sign up today > http://www.gnatbox.com/cgi-bin/Ultimate.cgi > ------------------------------------------------------------- > Send postings to: [EMAIL PROTECTED] > Access the list archives at: http://www.gnatbox.com/gb-users/ > ------------------------------------------------------------- > This is one of the things that will definitely be in the FAQ > if it ever gets written :) > > What is happening is that one of the machines on your LAN > (possibly the DMZ, but more likely the PRO) is connecting to > a website on the Internet. The website in question responds > slowly (either because it is under a heavy load or because of > a lot of traffic on parts of the Internet between your > network and the webserver). By the time that the response > finally comes back, the machine that requested it has timed > out, and the GNAT Box is no longer expecting the reply. > Because the GNAT Box no longer has an entry in the state table > for the connection, it is treated as an unsolicited connection > and blocked. > > > The default filter set (at least under 3.0.2 and 3.0.3) includes > a filter similar to: > > #DEFAULT: Block/nolog stale WWW accesses. > Deny ANY TCP nolog > from "ANY_IP" 80 > to "ANY_IP" 1024:65535 > > that prevents "late" replies from generating alarm messages. > > Since you started getting the messages at the same time that > you converted from NAT to IP Passthrough, I'm guessing that > a filter like this didn't get added to the new configuration. > > Mike Burden > Lynk Systems > (616)532-4985 > [EMAIL PROTECTED] > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > > Simon Yeo > > Sent: Monday, July 10, 2000 9:04 PM > > To: [EMAIL PROTECTED] > > Subject: strange log entries > > > > > > --------------------- Attention ----------------------------- > > Online GNAT Box User Forum is Now Open > > Click the Register link and sign up today > > http://www.gnatbox.com/cgi-bin/Ultimate.cgi > > ------------------------------------------------------------- > > Send postings to: [EMAIL PROTECTED] > > Access the list archives at: http://www.gnatbox.com/gb-users/ > > ------------------------------------------------------------- > > We recently converted to NAT from IP-passthru, and started getting a bunch > > of these log entries: > > > > ----------- > > ALARM NO: 5 > > DATE: Monday, Jul 10, 2000 > > TIME: 17:14:11 > > INTERFACE: EXT (xl0) > > ALARM TYPE: Block > > IP PACKET: TCP [a.b.c.d/80]-->[w.x.y.z/33242] l=1460 f=0x10 > > > > DETAILED DESCRIPTION: > > IP packet was rejected. > > ---------- > > > > w.x.y.z is the ip-addr of our external interface, and a.b.c.d is > > some random > > web site (in most cases). Why are these seemingly getting > > blocked? What's > > wierder is that none of our users are having any problems surfing the web. > > > > Thanks, > > -Simon > > > > ---------------------------------------------- > > To Unsubscribe: send mail to [EMAIL PROTECTED] > > with "unsubscribe gb-users your_email_address > > in the body of the message > > ---------------------------------------------- > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe gb-users your_email_address > in the body of the message >
