What's up? Apache servers making 'return calls' to past clien t IPs!

Matt_Domsch@Dell.com Matt_Domsch at Dell.com
Wed Apr 24 09:44:01 CDT 2002


> I doubt it, as our firewall (Cisco PIX) is configured with a 
> (default) one hour connection timeout.

Cisco firewall rules are notoriously hard to get right.  You may wish to
check again.
 
> I could be wrong, but aren't even persistant connections 
> still initiated by the client and held open by the server
> until either server or client closes
> it? The server should still never *initiate* a connection 
> normally, yes?
> Deny tcp src dmz:xxx.xxx.xxx.xxx/80 dst outside:213.1.243.253/20503 by
> access-group "acl_dmz"

The server isn't initiating the connection.  It's sending a packet from port
80, which is a port number that, if it was initiating a connection (TCP SYN
packet), would never use.  You're getting hung up in the connection closing
routines on the server (capture and do a tcpdump on the packets that cause
this), since the server is going into CLOSING state, it's probably sending
the FIN+ACK packet to signal the client it wants to close the connection,
but the firewall is blocking that packet.  The client may or may not have
sent it's own FIN+ACK message to the server to tell it to close the
connection.

It's going to be a firewall rule thing.

Thanks,
Matt

--
Matt Domsch
Sr. Software Engineer
Dell Linux Solutions www.dell.com/linux
Linux on Dell mailing lists @ http://lists.us.dell.com
#1 US Linux Server provider for 2001!




More information about the Linux-PowerEdge mailing list