Re: watchguard packets dropped



steve.logan@xxxxxxxxx wrote:
I'm new to firewalling anything beyond the basics, and I have our
Watchguard up and running and have moved one of our web sites behind
it, so we're starting to see some traffic through it. I'm a tiny bit
concerned that people with legitimate connections might be getting
blocked because of some of the rules in the firewall.

For example, this first IP (24.38.17.25) seems to be a Comcast user
trying to bring up a web site. Can someone give a brief insight into
the reasons the firewall is blocking these connections?

"TCP RST packet without an associated connection"
"TCP SYN checking: connection not established yet [-A---F];"


2007-11-19 21:02:56 Deny 24.38.17.25 xxx.xxx.xxx.xxx http/tcp 52480 80
0-External unknown TCP RST packet without an associated connection,
firewall drop 40 241 (internal policy) tcpinfo="offset 5 R
1327508525 win 0"

2007-11-19 21:03:17 Deny 24.38.17.25 xxx.xxx.xxx.xxx http/tcp 52488 80
0-External 1-Trusted TCP SYN checking: connection not established yet
[-A---F], firewall drop 52 49 (internal policy) tcpinfo="offset 8 FA
942952889 win 65535"



I'm also seeing some of these "Unhandled External Packet-00"
connections being denied.

2007-11-19 21:14:04 Deny 67.15.135.144 xxx.xxx.xxx.xxx 54122/tcp 80
54122 0-External 1-Trusted denied 44 48 (Unhandled External
Packet-00) tcpinfo="offset 6 SA 363997396 win 5840"

Thank you,

what's so hard to understand about that ...
RST packets which are not part of an existing established connections
should be dropped ! sounds like a portscan to me or some responses to spoofed
connection attempts
.



Relevant Pages

  • watchguard packets dropped
    ... Watchguard up and running and have moved one of our web sites behind ... concerned that people with legitimate connections might be getting ... blocked because of some of the rules in the firewall. ... "TCP RST packet without an associated connection" ...
    (comp.security.firewalls)
  • Re: Can iptables block TCP RST packets only?
    ... the TCP sequence numbers and packet arrival times reveals that the ISP must be sending a RST packet to *both* ends. ... think it would have to be a VPN rather than a simple port-based ssh tunnel. ... You could then throttle the connections so that no single one of them is fat enough to attract the attention of the strangler. ...
    (uk.comp.os.linux)
  • Re: XP speed
    ... The slowness is not be purely an Internet Explorer issue. ... I suppose you could use IE to browse shared folders instead of using Windows ... just like you can use Windows Explorer to browse web sites. ... have more concurrent connections, that only works on sites that do not limit ...
    (microsoft.public.windowsxp.newusers)
  • Re: Cache Issues
    ... I do occasionally notice a page taking a while to load but I'm not going to ... "my" server with at least 50 other web sites and the DB server with at least ... connections and make good use of the machine resources. ... > the DataReader, please do remember to close it when finished using it. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: IE Behavior
    ... I can start browsing the internet after about 20 minutes upon bootup... ... For the rest, I can open ssh connections in the meanwhile, I can even using ... I have XP sp2 and the latest patches. ... can then open CMD and ping web sites. ...
    (microsoft.public.windowsxp.general)