Re: How to troubleshoot this?

jared wrote:

I am seeing a type of message appear repeatedly in my firewall logs.
E.g.,

Tue Dec 05 15:54:56 2006 Blocked outgoing TCP packet from
192.168.0.14:50011
to 69.28.154.159:80 as FIN:ACK received but there is no active
connection

My first question would be: what kind of firewall ?
If it is a SOHO-type firewall appliance, or iptables on your own box, why
would it block outgoing TCP at all ?
Do you control this ? Do you manage it ?

The address appears to belong to GoDaddy. I see different IP addresses
(all appearing to belong to GoDaddy) trying to communicate at various
times, all using different ports on the local side (i.e., not always
50011 - although always unprivileged and not well-known).

But all connecting to port 80 on the other side ?

I am running Ubuntu 6.10 on this machine (a workstation, not a server),
patched up daily, chkrootkit run weekly. I do not leave any browsers
or mail clients open when I am off the machine (and in fact, was away
at the time of this entry). I don't think I can use netstat because
the ports always vary.

That depends; if the destination ports do not, simply keep tcpdump running
until you get a few of these "connections" and examine the output.

Yes, I say "connections" - have you actually read what it says ?

"Blocked outgoing packet as FIN:ACK received *but there is no active
connection*".

What this means is that the remote side of the connection sent YOU a notice
that it has closed the connection - but your side never opened it, or
already closed it earlier - perhaps reset it because of errors form the
remote side.

Use tcpdump, so you can see exactly what traffic is exchanged.



--
All your bits are belong to us.
.

Relevant Pages

  • Re: Correction
    ... > I have an ADSL connection which polls my computer from time to time, ... > disables the questioned ports unless the user intervenes and allows the ... disallow each and every port with Windows Firewall? ... This policy setting also allows ...
    (microsoft.public.windowsxp.messenger)
  • D-link dsl 504 and Iptables problems
    ... I have a Bto Adsl connection plugged into a D-link DSL 504 router. ... I have then set up port forwarding on the d-link to forward ports ... $MPB ip_conntrack ... #ICMP Dead Error Messages protection ...
    (comp.os.linux.security)
  • d-link DSL-504 and IPtables trouble
    ... I have a Bto Adsl connection plugged into a D-link DSL 504 router. ... I have then set up port forwarding on the d-link to forward ports ... $MPB ip_conntrack ... #ICMP Dead Error Messages protection ...
    (comp.security.firewalls)
  • Re: Whats a decent modem/router for tech savy user?
    ... It is not possible to route or deny traffic to specific ports based on the source IP address. ... But it wont route back inside the LAN - needs internal DNS server spoofing. ... Normally, this option should be Enabled, so that an Internet connection will be made automatically, whenever Internet-bound traffic is detected. ... Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on the Internet for services that you haven't defined. ...
    (uk.telecom.broadband)
  • Re: ADAM - The Server is not operational (Joe Kaplan, question for you)
    ... There will be one ldap connection for some ops. ... I'd have to think about why they don't use NLB rather than a single server ... with an increased number of ephemeral ports or minimising tcp time wait. ... If different credentials are used under high load with ADSI, ...
    (microsoft.public.windows.server.active_directory)