What's up? Apache servers making 'return calls' to past clien t IPs!
Matt_Domsch at Dell.com
Wed Apr 24 09:44:01 CDT 2002
> I doubt it, as our firewall (Cisco PIX) is configured with a
> (default) one hour connection timeout.
Cisco firewall rules are notoriously hard to get right. You may wish to
> I could be wrong, but aren't even persistant connections
> still initiated by the client and held open by the server
> until either server or client closes
> it? The server should still never *initiate* a connection
> normally, yes?
> Deny tcp src dmz:xxx.xxx.xxx.xxx/80 dst outside:188.8.131.52/20503 by
> access-group "acl_dmz"
The server isn't initiating the connection. It's sending a packet from port
80, which is a port number that, if it was initiating a connection (TCP SYN
packet), would never use. You're getting hung up in the connection closing
routines on the server (capture and do a tcpdump on the packets that cause
this), since the server is going into CLOSING state, it's probably sending
the FIN+ACK packet to signal the client it wants to close the connection,
but the firewall is blocking that packet. The client may or may not have
sent it's own FIN+ACK message to the server to tell it to close the
It's going to be a firewall rule thing.
Sr. Software Engineer
Dell Linux Solutions www.dell.com/linux
Linux on Dell mailing lists @ http://lists.us.dell.com
#1 US Linux Server provider for 2001!
More information about the Linux-PowerEdge