Re: Apache question
> Eduard Ballester <ballester@ipsistemas.com> [2003-11-12 13:53]:
>
> Hi
>
> We have a lot of strange log entry in our NetScreen FireWall:
> ------------------------------------------------ Nov 12 11:42:51
> 172.20.125.1 NSNAME: NetScreen device_id=NSNAME
> [MYISP]system-notification-00257(traffic): start_time="2003-11-12
> 11:42:10" duration=0 policy_id=51 service=tcp/port:20158 proto=6 src
> zone=Trust-XXX dst zone=Untrust action=Deny sent=0 rcvd=0
> src=62.XX.YYY.ZZZ dst=80.58.50.239 src_port=80 dst_port=20158
> ------------------------------------------------
>
> * 62.XX.YYY.ZZZ is a server with Apache1.3.x that it only serves
> static pages. * All the NICs have Public IP Address.
>
>
> Internet
> |
> |
> NetScreen
> |
> |
> Alteon(load balance)
> |_____________________
> | | | |
> Apache1 ... ApacheN
>
>
>
> Do you know why Apache has this behavior? Why Apache initiates the
> connections with src_port 80 and random dst_port?
>
Apache does not initiate the connection. It listens on Port 80.
Whenever it sends out a reply to a connection, of course, it sends
back off port 80. Exactly this is what you see in your log:
src=62.XX.YYY.ZZZ -> dst=80.58.50.239
src_port=80 -> dst_port=20158
HTH. Otherwise ask.
wbr,
Lukas
--
Lukas Ruf | Wanna know anything about raw |
<http://www.lpr.ch> | IP? <http://www.rawip.org> |
Reply to: