gb-users mailing list archive
<-- Chronological -->
Extended
<-- Thread -->

RE: Remote access filter blocks

More messages from [ Joe Biniskiewicz]
To: "Griffiths, Jeff" <jgriffiths_at_SWFLLP_dot_com>
Subject: RE: Remote access filter blocks
From: Joe Biniskiewicz <joeb_at_joeb_dot_com>
Date: Fri, 10 Mar 2000 20:41:33 -0800
Cc: GB Users <gb-users_at_gta_dot_com>
In-reply-to: <>
At 08:45 AM 3/9/00 -0500, Griffiths, Jeff wrote:
All of the IP addresses in your logs are owned by @home.
Reverse DNS shows 24.0.0.205 to .207 is a mailer group on the west coast. (mx1-w.mail.home.com, mx2..., mx3...)
Reverse DNS is not available for 24.0.95.51 to .56  although they are all up (I was able to PING them)
Reverse DNS shows 24.2.2.197 to .199 us a mailer group on the east coast. (mx2-e.mail.home.com, mx3..., mx4...)
 
The interesting thing is the FLAG on all your packets in your log = 0x10.  0x10 = ACK.
Based on this info, I would tend to think that these are mailers trying to reconnect to you because of timeouts (although that does not explain the ACK) or you are being port scanned (which also doesn't explain the ACK very well since most scans are based on SYN).

At 09:02 AM 3/9/00 -0500, Michael W. Burden wrote:
All of the IP addresses in your logs are owned by @home.
Reverse DNS shows 24.0.0.205 to .207 is a mailer group on the west coast.

Yes, however I did not include my entire log last time.  Today, I have included my log for today's blocks of machines using SOURCE port 25.  See the bottom of this message for that log.

My mail server does send mail to a few people on the @home network, via mailing lists and mail address aliases.  Therefore, especially in the case of mail aliases, it would be quite possible for my mail servers to send to various MX hosts listed in their DNS records.  That might explain the ACK packets from their server on port 25.  I wouldn't be aware the mail even passed through my machine unless there was a problem with delivery.  I don't spend nearly as much time with the mail server logs because the mail server is secure.  It's the firewall I am tuning.

So let's assume that this is what's happening.  The next question might be seem at first glance to be beyond the scope of this discussion list, but I think it is actually within our scope:

WHY is this happening.  What part of the SMTP mechanism causing GB to close the connection to the remote SMTP server before it is ready to consider the connection closed?

Mar 10 05:11:24 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [199.88.234.43/25]->[209.239.242.112/16541] l=0 f=0x11.
Mar 10 05:12:14 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [199.88.234.43/25]->[209.239.242.112/16541] l=0 f=0x11.
Mar 10 05:13:11 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [199.88.234.43/25]->[209.239.242.112/16541] l=0 f=0x11.
Mar 10 05:15:05 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [199.88.234.43/25]->[209.239.242.112/16541] l=0 f=0x11.
Mar 10 05:18:52 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [199.88.234.43/25]->[209.239.242.112/16541] l=0 f=0x11.
Mar 10 10:15:20 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [24.0.95.51/25]->[209.239.242.112/16716] l=0 f=0x10.
Mar 10 10:46:55 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [24.2.2.199/25]->[209.239.242.112/16725] l=0 f=0x10.
Mar 10 11:45:27 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [24.2.2.197/25]->[209.239.242.112/16742] l=0 f=0x10.
Mar 10 12:45:21 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [24.2.2.192/25]->[209.239.242.112/16741] l=0 f=0x14.
Mar 10 13:34:44 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [199.88.234.42/25]->[209.239.242.112/16782] l=0 f=0x11.
Mar 10 13:35:05 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [199.88.234.42/25]->[209.239.242.112/16782] l=0 f=0x11.
Mar 10 13:35:34 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [199.88.234.42/25]->[209.239.242.112/16782] l=0 f=0x11.
Mar 10 13:42:19 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [199.88.234.42/25]->[209.239.242.112/16782] l=0 f=0x11.
Mar 10 14:38:25 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [24.2.2.192/25]->[209.239.242.112/16788] l=0 f=0x14.
Mar 10 15:45:55 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [24.0.0.195/25]->[209.239.242.112/16846] l=0 f=0x14.
Mar 10 15:48:48 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [24.0.0.195/25]->[209.239.242.112/16847] l=0 f=0x14.
Mar 10 17:16:50 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [24.2.2.192/25]->[209.239.242.112/16907] l=0 f=0x14.
Mar 10 17:24:48 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [24.2.2.193/25]->[209.239.242.112/16928] l=0 f=0x14.
Mar 10 17:34:01 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [216.33.151.234/25]->[209.239.242.112/16997] l=0 f=0x11.
Mar 10 17:34:07 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [216.33.151.234/25]->[209.239.242.112/16997] l=0 f=0x11.
Mar 10 17:34:21 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [216.33.151.234/25]->[209.239.242.112/16997] l=0 f=0x11.
Mar 10 17:34:47 192.168.2.254 FILTER: Remote access filter blocks:
TCP ed0 [216.33.151.234/25]->[209.239.242.112/16997] l=0 f=0x11.

[ Search for messages with a similar subject]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: flash disk, Christopher Congdon
Next by Date:  RE: Remote access filter blocks, Joe Biniskiewicz
Previous by Thread:  RE: Remote access filter blocks, Michael W. Burden
Next by Thread:  3.0.1 lite to 3.0.3 lite, Todd J Vanscoter
Indexes:  [Date] [Thread] [All Lists] [Home]
Global Technology Associates, Inc