What's up? Apache servers making 'return calls' to past client IPs!

Basil Hussain basil.hussain at kodakweddings.com
Tue Apr 23 11:01:00 CDT 2002


Hi,

Having just recently made some changes on our firewall to be extremely
stringent on what outbound traffic is allowed to be transmitted by our
servers, I spotted some strange activity in the logs:

Deny tcp src dmz:xxx.xxx.xxx.xxx/80 dst outside:213.123.74.212/1198 by
access-group "acl_dmz"
Deny tcp src dmz:xxx.xxx.xxx.xxx/80 dst outside:195.107.47.198/49414 by
access-group "acl_dmz"
Deny tcp src dmz:xxx.xxx.xxx.xxx/80 dst outside:195.107.47.198/49414 by
access-group "acl_dmz"
Deny tcp src dmz:xxx.xxx.xxx.xxx/80 dst outside:194.73.185.67/6132 by
access-group "acl_dmz"
Deny tcp src dmz:xxx.xxx.xxx.xxx/80 dst outside:213.123.74.212/1197 by
access-group "acl_dmz"
Deny tcp src dmz:xxx.xxx.xxx.xxx/80 dst outside:213.123.74.212/1198 by
access-group "acl_dmz"
Deny tcp src dmz:xxx.xxx.xxx.xxx/80 dst outside:194.73.185.67/6084 by
access-group "acl_dmz"

Here, 'xxx.xxx.xxx.xxx' is the IP address of one of a pair of web servers.
Strangely, the above destination addresses had all previously accessed the
webserver about 15-30 minutes before the firewall log report of the
attempted return outbound connection.

The question is, why are both my web servers making 'return calls' like
this? Unless I'm going mad, for HTTP the data is returned on the port 80 TCP
connection opened by the client, right? So, I doubt I have anything wrong in
my firewall config - it allows port 80/443 connections inbound, but nothing
outbound.

Anyone got any idea what's going on? The servers are running Apache 1.3.22.

Regards,

Basil Hussain
---------------------------------------
Internet Developer, Kodak Weddings
E-Mail: basil.hussain at kodakweddings.com





More information about the Linux-PowerEdge mailing list