Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: PIX Log Interpretation Help

from [Chris Brenton] Network Security [Permanent Link]
Subject: Re: PIX Log Interpretation Help
Date: Wed, 28 Jun 2006 07:52:29 -0400 
On Tue, 2006-06-27 at 14:53 -0700, Robert McIntosh wrote:


Jun 26 15:21:06 10.0.0.6 %PIX-4-106023: Deny tcp src
outside:xxx.xxx.xxx.xxx/25 dst inside:xxx.xxx.xxx.xxx/21100 by
access-group "inbound"
Jun 26 15:21:09 10.0.0.6 %PIX-4-106023: Deny tcp src
outside:xxx.xxx.xxx.xxx/25 dst inside:xxx.xxx.xxx.xxx/21100 by
access-group "inbound"

I don't understand why the external mail host would be trying to
connect on port 21100 on our firewall. 


Looks like a state time out issue. This happens more frequently with
TCP/80, but I have seen it on SMTP as well. 

Usually what causes it is one side of the connection issues a FIN/ACK to
end their side of communications, thus entering a half closed state.
When the firewall sees the FIN/ACK, it drops the state timer to
something small (usually 30-120 seconds, depending on the firewall). If
communications do not complete in this time, the firewall kills the
session. This causes all remaining communications in that session to be
denied.

To verify if this is the case, look earlier in your logs to see if your
mail server connected to this external host from TCP/21100 going to
TCP/25. If you find that log entry, its just the timers giving you
trouble. 

HTH,
Chris
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: PIX Log Interpretation Help, Navroz Shariff
Next by Date:  REVIEW: "Configuring SonicWALL Firewalls", Chris Lathem et al, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Previous by Thread:  PIX Log Interpretation Help, Robert McIntosh
Next by Thread:  RE: PIX Log Interpretation Help, Dan Bogda
Indexes:  [Date] [Thread] [Top] [All Lists]