Huge Denied connection on Firewall as Source port 80 from multiple IP address

Unanswered Question
Oct 1st, 2010

Hello Frdz ..

As far i know ,source never uses the port below 1024 ,its always above 1024 to communicate .

I have been oberving huge requests are hitting on Firewall as source port 80 and destination port is random and firewall blocking these requests .

The destination IP address is our proxy server and source with port 80 is public web sites .

Please let me know whats going wrong ?

Regards .

Manik Palekar

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Fri, 10/01/2010 - 15:07

Hi,

It sounds like it could be replies to web requests from the proxy to external web sites.

These replies will have source port 80 and destination random port (port which was used to initiate the connection).

The firewall is blocking those connections (as if they are initiated from the outside)?

Or what's exactly the problem?

Federico.

manik.palekar Fri, 10/01/2010 - 15:30

Hi Federico ..

Thanks for your reply ...

Below are the logs captured on Firewall .The proxy black box which is running proxy service for all internal LAN users .If you are saying this is a TCP SYN,ACK request then Firewall shoudl have allowed these requestes ae per stateful functionality and as per my understanding syn ack request should not be on same port(may be am worng ) .but here the out side websites are querying to proxy server as source port 80 and destination random port.I wounder why would any one try to connect proxy on port 80 as source and this is not valid source port as per IEEE ..

TCP outside 96.7.40.24:80 inside proxy:60901, idle 0:00:02, bytes 4167, flags UIO
TCP outside 207.46.124.36:80 inside proxy:36292, idle 0:00:19, bytes 2391, flags UO
TCP outside 64.4.34.221:80 inside proxy:33772, idle 0:00:20, bytes 2598, flags UO
TCP outside 69.63.189.26:80 inside proxy:59812, idle 0:00:01, bytes 49393, flags UIO

Hope this will clear you @ issue ..

Regards ..

Manik Palekar

praprama Fri, 10/01/2010 - 18:05

Hey,

What Frederico has said could be the case. The logs that you seeing must be in relation to replies from web servers in response to requests from your proxy server.

That is, for example, when an inside user triews to access a website, the request goes to your proxy server which then initiates the connection on behalf of your user. For this packet, the source port will be random (>1024) and destination will TCP/80.

When the outside server replies to this request, now the source port will be changed to TCP/80 and destination port will be the random port the proxy server used initially (>1024). It is these packets that are getting dropped by the firewall.

To confirm what is going wrong, could you please post the exact set of logs you are getting on the firewall (with masked IP addresses)?

Thanks and Regards,

Prapanch

Actions

This Discussion