Thank you for your responses Tom & Ray. I can now see that the connections from rfc1918 address 10.1.1.d is coming into ppp0 - yes.
You both mention that it might be a user on our LAN who is being rejected from initiating connections to a remote port 80. This may be the cause, so consider this description of our LAN: - no microsoft OS or product is present - one workstation (running Fedora) has an Opera browser open permanently, and reloads 5 webpages every 30 mins or so - our mailserver runs fetchmail (without errors) - Bering 1.2 runs ntpd (with frequent syncronisation loss) Also: there are continuous connection attempts originating from the workstation mentioned above and which get dropped by Bering on the "newnotsyn" kernel filtering rule. e.g.: Mar 16 22:42:54 jungla kernel: Shorewall:newnotsyn:DROP: IN=eth0 OUT=ppp0 SRC=a.b.c.d DST=213.239.58.71 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=8876 DF PROTO=TCP SPT=33320 DPT=80 WINDOW=48240 RES=0x00 ACK FIN URGP=0 The destination addresses for these "newnotsyn" packets are mostly for hosting companies (the logged address above appears most frequent). Could these be trojan activity or is it javascript from the open webpages? I think that there might be a connection between the 10.b.c.d packets (from outside) and the strange "newnotsyn" (local) connection attempts. Ray's theory of a "leaky router" could be the cause for the 10.b.c.d packets, but does rfc1918 filtering on ISP internet routers not make it impossible for packets with 10.b.c.d , 192.b.c.d , etc source addresses to reach our firewall? Thank you, Shango Oluwa. ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
