On 19 Aug 2004 03:23:24 -0700, [EMAIL PROTECTED] (A) wrote:
>The main source ports of the hits are 80 (web), 6346 (Gnutella) and
>6889 (bit torrent) but there are other random ports as well. The only
>reference to the NAT box in pf.conf is:
>
>pass in quick on $int_if proto {tcp udp} from $box port >= 1024 to \
> any keep state
>pass out quick on $ext_if proto {tcp udp} from $box port >= 1024 to \
> any keep state
Switch logging on for those rules for a start, you should log all traffic
initiated from the inside.
You should also restrict external access to the set of business critical
services which require direct routed access.
>
>So, what are these hits? Are they just the outside server sending a
>left-over packet after the client has actually closed the connection or
>does it sound like a hole?
It would suggest that you have an issue with internal users sharing
copyright material over peer 2 peer.
>
greg
--
Es ist mein Teil - nein
Mein Teil - nein
Denn das ist mein Teil - nein
Mein Teil - nein
