watchguard packets dropped

I'm new to firewalling anything beyond the basics, and I have our
Watchguard up and running and have moved one of our web sites behind
it, so we're starting to see some traffic through it. I'm a tiny bit
concerned that people with legitimate connections might be getting
blocked because of some of the rules in the firewall.

For example, this first IP (24.38.17.25) seems to be a Comcast user
trying to bring up a web site. Can someone give a brief insight into
the reasons the firewall is blocking these connections?

"TCP RST packet without an associated connection"
"TCP SYN checking: connection not established yet [-A---F];"


2007-11-19 21:02:56 Deny 24.38.17.25 xxx.xxx.xxx.xxx http/tcp 52480 80
0-External unknown TCP RST packet without an associated connection,
firewall drop 40 241 (internal policy) tcpinfo="offset 5 R
1327508525 win 0"

2007-11-19 21:03:17 Deny 24.38.17.25 xxx.xxx.xxx.xxx http/tcp 52488 80
0-External 1-Trusted TCP SYN checking: connection not established yet
[-A---F], firewall drop 52 49 (internal policy) tcpinfo="offset 8 FA
942952889 win 65535"



I'm also seeing some of these "Unhandled External Packet-00"
connections being denied.

2007-11-19 21:14:04 Deny 67.15.135.144 xxx.xxx.xxx.xxx 54122/tcp 80
54122 0-External 1-Trusted denied 44 48 (Unhandled External
Packet-00) tcpinfo="offset 6 SA 363997396 win 5840"

Thank you,

Re: watchguard packets dropped

In article <771914bf-0e06-43af-980a-8cb9100341b5
@n20g2000hsh.googlegroups.com>, steve.logan@gmail.com says...
> I'm new to firewalling anything beyond the basics, and I have our
> Watchguard up and running and have moved one of our web sites behind
> it, so we're starting to see some traffic through it. I'm a tiny bit
> concerned that people with legitimate connections might be getting
> blocked because of some of the rules in the firewall.

First, without knowing what rules you created there is little way to be
sure what you have blocking for what reason.

Normally, the inbound connections only get blocked for a couple reasons:

1) No rule permitting inbound access
2) Malformed packets
3) Attack detected, IP blocked for 20 minutes automatically
4) Source IP part of hard block list

I've got a LOT of watchguard firewalls in service all over the country,
what Model and what firmware are you using?

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: watchguard packets dropped

steve.logan@gmail.com wrote:
> I'm new to firewalling anything beyond the basics, and I have our
> Watchguard up and running and have moved one of our web sites behind
> it, so we're starting to see some traffic through it. I'm a tiny bit
> concerned that people with legitimate connections might be getting
> blocked because of some of the rules in the firewall.
>
> For example, this first IP (24.38.17.25) seems to be a Comcast user
> trying to bring up a web site. Can someone give a brief insight into
> the reasons the firewall is blocking these connections?
>
> "TCP RST packet without an associated connection"
> "TCP SYN checking: connection not established yet [-A---F];"
>
>
> 2007-11-19 21:02:56 Deny 24.38.17.25 xxx.xxx.xxx.xxx http/tcp 52480 80
> 0-External unknown TCP RST packet without an associated connection,
> firewall drop 40 241 (internal policy) tcpinfo="offset 5 R
> 1327508525 win 0"
>
> 2007-11-19 21:03:17 Deny 24.38.17.25 xxx.xxx.xxx.xxx http/tcp 52488 80
> 0-External 1-Trusted TCP SYN checking: connection not established yet
> [-A---F], firewall drop 52 49 (internal policy) tcpinfo="offset 8 FA
> 942952889 win 65535"
>
>
>
> I'm also seeing some of these "Unhandled External Packet-00"
> connections being denied.
>
> 2007-11-19 21:14:04 Deny 67.15.135.144 xxx.xxx.xxx.xxx 54122/tcp 80
> 54122 0-External 1-Trusted denied 44 48 (Unhandled External
> Packet-00) tcpinfo="offset 6 SA 363997396 win 5840"
>
> Thank you,

what's so hard to understand about that ...
RST packets which are not part of an existing established connections
should be dropped ! sounds like a portscan to me or some responses to
spoofed
connection attempts