lotus

previous page: 61  What software uses what FTP mode? (Firewalls - TCP and UDP Ports)
  
page up: Firewalls FAQ
  
next page: 63  The anatomy of a TCP connection (Firewalls - TCP and UDP Ports)

62 Is my firewall trying to connect outside? (Firewalls - TCP and UDP Ports)




Description

This article is from the Firewalls FAQ, by Matt Curtin cmcurtin@interhack.net and Marcus J. Ranum mjr@nfr.com with numerous contributions by others.

62 Is my firewall trying to connect outside? (Firewalls - TCP and UDP Ports)

My firewall logs are telling me that my web server is trying to connect
from port 80 to ports above 1024 on the outside. What is this?!

If you are seeing dropped packets from port 80 on your web server (or from
port 25 on your mail server) to high ports on the outside, they usually DO
NOT mean that your web server is trying to connect somewhere.

They are the result of the firewall timing out a connection, and seeing the
server retransmitting old responses (or trying to close the connection) to
the client.

TCP connections always involve packets traveling in BOTH directions in the
connection.

If you are able to see the TCP flags in the dropped packets, you'll see that
the ACK flag is set but not the SYN flag, meaning that this is actually not
a new connection forming, but rather a response of a previously formed
connection.

Read point 8 below for an in-depth explanation of what happens when TCP
connections are formed (and closed)

 

Continue to:













TOP
previous page: 61  What software uses what FTP mode? (Firewalls - TCP and UDP Ports)
  
page up: Firewalls FAQ
  
next page: 63  The anatomy of a TCP connection (Firewalls - TCP and UDP Ports)