[fw-wiz] Stateful inspect on return web traffic - eek!

From: Brett Charbeneau (brett_at_wrl.org)
Date: 12/09/03

  • Next message: Melson, Paul: "RE: [fw-wiz] SunScreen Log Analyzer" 
    To: firewall-wizards@honor.icsalabs.com
Date: Tue, 9 Dec 2003 11:33:13 -0500 (EST)

    Greetings,

            If anyone can help me figure out what's going on with my logs, I'd
    be EXTREMELY grateful!
            I have a handful of firewalls around my institution that are using
    the 2.4.20 Linux kernel, have iptables v1.2.7a, and default drop
    policies. The workstations behind the firewalls are on NAT'd networks and
    have these commands for connection tracking:

    iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

            I've recently set up a Squid proxy with the same specifics but
    obviously minus the NAT'd network. Except for the explicit allow
    statements for the Squid process and necessary SSH access, the rules are
    very simple - default drop except for related return traffic.
            In all these instances, I have an iptables rule to log any dropped
    packets and I've been seeing some really strange web-related *return*
    traffic that isn't being allowed back in.
            Me no get.
            I've got an example below and they look to me to be replies to web
    clients that *should* be associated with outgoing traffic but somehow
    isn't and the traffic is being dropped.
            I've not heard complaints about certain web sites being
    unreachable, so the clients must be getting their traffic somehow, but
    clearly something is amiss.
            Any guidance or hints anyone can provide would be greatly
    appreciated! 

    -- 
Brett Charbeneau, Network Administrator         Tel: 757-259-7750
Williamsburg Regional Library                   FAX: 757-259-7798
7770 Croaker Road                               brett@wrl.org
Williamsburg, VA 23188-7064                     http://www.wrl.org
Dec  9 11:19:45 reliant kernel: KILLED!: IN=eth0 OUT= 
MAC=00:10:4b:34:51:22:00:00:0c:5d:85:ae:08:00 SRC=216.75.202.105 
DST=209.96.177.53 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=33958 DF PROTO=TCP 
SPT=80 DPT=49788 WINDOW=31856 RES=0x00 ACK FIN URGP=0 
Dec  9 11:19:47 reliant kernel: KILLED!: IN=eth0 OUT= 
MAC=00:10:4b:34:51:22:00:00:0c:5d:85:ae:08:00 SRC=216.75.202.105 
DST=209.96.177.53 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=34028 DF PROTO=TCP 
SPT=80 DPT=49788 WINDOW=31856 RES=0x00 ACK FIN URGP=0 
Dec  9 11:19:47 reliant kernel: KILLED!: IN=eth0 OUT= 
MAC=00:10:4b:34:51:22:00:00:0c:5d:85:ae:08:00 SRC=207.68.178.238 
DST=209.96.177.53 LEN=41 TOS=0x00 PREC=0x00 TTL=235 ID=50490 PROTO=TCP 
SPT=80 DPT=49476 WINDOW=16133 RES=0x00 ACK PSH URGP=0 
Dec  9 11:19:49 reliant kernel: KILLED!: IN=eth0 OUT= 
MAC=00:10:4b:34:51:22:00:00:0c:5d:85:ae:08:00 SRC=216.75.202.105 
DST=209.96.177.53 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=34417 DF PROTO=TCP 
SPT=80 DPT=49788 WINDOW=31856 RES=0x00 ACK FIN URGP=0 
Dec  9 11:19:55 reliant kernel: KILLED!: IN=eth0 OUT= 
MAC=00:10:4b:34:51:22:00:00:0c:5d:85:ae:08:00 SRC=216.75.202.105 
DST=209.96.177.53 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=34750 DF PROTO=TCP 
SPT=80 DPT=49788 WINDOW=31856 RES=0x00 ACK FIN URGP=0 
Dec  9 11:19:58 reliant kernel: KILLED!: IN=eth0 OUT= 
MAC=00:10:4b:34:51:22:00:00:0c:5d:85:ae:08:00 SRC=216.75.203.112 
DST=209.96.177.53 LEN=467 TOS=0x00 PREC=0x00 TTL=236 ID=20775 DF PROTO=TCP 
SPT=81 DPT=49378 WINDOW=10136 RES=0x00 ACK PSH FIN URGP=0 
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Melson, Paul: "RE: [fw-wiz] SunScreen Log Analyzer"

    Relevant Pages

    • Re: Re-post - please help is you can
      ... You can also use ISA to publish a Sharepoint site on port 80 using headers ... > We use OWA a lot for email from our clients offices and it is fantastic, ... causing our clients proxy server and firewalls to block it. ...
      (microsoft.public.windows.server.sbs)
    • Re: Clarification on firewall issues with Java networking APIs
      ... Firewalls generally allow return ... I can have callbacks with RMI ... clients to receive timely events, ... connection to the server. ...
      (comp.lang.java.programmer)
    • [fw-wiz] ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall
      ... > firewalls, and kept there. ... to protect our customers (absence of funds and man-power always figure ... policy on my residential networks. ... The big issue from a business standpoint is that popular opinion seems to ...
      (Firewall-Wizards)
    • Re: Unexplained wan/lan activity
      ... >> firewalls and networks and such. ... A little while ago I noticed wan activity going on, ... > windows try a packet ...
      (comp.security.firewalls)
    • Re: Network Design
      ... Good for VPN setups and can range from low end firewalls, for small networks, up to much bigger systems for large corporate networks. ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
      (Security-Basics)