What's up? Apache servers making 'return calls' to past client IPs!

Basil Hussain basil.hussain at kodakweddings.com
Wed Apr 24 04:18:00 CDT 2002


Matt Domsch wrote:
> Just a thought...  They're probably using Persistent HTTP
> connections, which
> are getting timed out after a while?  The web server thinks the connection
> is still open, the firewall doesn't?

Michael E Brown wrote:
> This looks like normal Apache keepalive traffic. You probably have
> persistent connections turned on in your Apache config, and your firewall
> may be dropping the connection from it's cache after a few minutes. Then
> a packet comes through that it doesn't recognize as a part of an existing
> connection comes through and it get's dropped and logged.

I doubt it, as our firewall (Cisco PIX) is configured with a (default) one
hour connection timeout.

I could be wrong, but aren't even persistant connections still initiated by
the client and held open by the server until either server or client closes
it? The server should still never *initiate* a connection normally, yes?

Anyway, I have also done a bit more sleuthing. I discovered an association
between firewall log entries and some netstat output on the web server. When
the following is logged by the firewall:

Deny tcp src dmz:xxx.xxx.xxx.xxx/80 dst outside: by
access-group "acl_dmz"

The following matching output is also displayed by a 'netstat -p' command:

tcp        0   2876 xxx.xxx.xxx.xxx:www

What I find strange here is that the last column of the netstat output for
this case is blank ('-'), showing no PID and/or program name. If this was to
do with Apache, wouldn't it show 'httpd'?


Basil Hussain
Internet Developer, Kodak Weddings
E-Mail: basil.hussain at kodakweddings.com

More information about the Linux-PowerEdge mailing list