Re: Apache question

To: debian-security@lists.debian.org
Subject: Re: Apache question
From: Lars Ellenberg <l.g.e@web.de>
Date: Wed, 12 Nov 2003 14:33:31 +0100
Message-id: <[🔎] sA8ukxnklZOgd6GkZraBxSI=lge@web.de>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 3FB22C28.7010605@ipsistemas.com>
References: <[🔎] 3FB22C28.7010605@ipsistemas.com>

/ 2003-11-12 13:48:40 +0100
\ Eduard Ballester:
> Hi
> 
> We have a lot of strange log entry in our NetScreen FireWall:
> ------------------------------------------------
> Nov 12 11:42:51 172.20.125.1 NSNAME: NetScreen device_id=NSNAME 
> [MYISP]system-notification-00257(traffic): start_time="2003-11-12 
> 11:42:10" duration=0 policy_id=51 service=tcp/port:20158 proto=6 src 
> zone=Trust-XXX dst zone=Untrust action=Deny sent=0 rcvd=0 
> src=62.XX.YYY.ZZZ dst=80.58.50.239 src_port=80 dst_port=20158
> ------------------------------------------------
> 
> * 62.XX.YYY.ZZZ is a server with Apache1.3.x that it only serves static 
> pages.
> * All the NICs have Public IP Address.
> 
> 
> Internet
>   |
>   |
> NetScreen
>   |
>   |
> Alteon(load balance)
>   |_____________________
>   |       |       |     |
> Apache1  ...           ApacheN
> 
> 
> 
> Do you know why Apache has this behavior? Why Apache initiates the 
> connections with  src_port 80 and random dst_port?

blind guess:
the http queries come in with "random" source port, dst port 80,
and dst IP of your load balancer, which redirects to one of the
apaches. apache replies with src port 80, and the "random"
dst port of the http client, but the load balancer *fails* to map
back the apache IP.
so your netscreen sees "traffic" without ever seeing the tcp
handshake for this pair of IP:port<->IP:port.

	Lars Ellenberg

Reply to:

References:
- Apache question
  - From: Eduard Ballester <ballester@ipsistemas.com>

Prev by Date: Re: Apache question
Next by Date: Re: Apache question
Previous by thread: Re: Apache question
Next by thread: Re: Apache question
Index(es):
- Date
- Thread