[Logwatch-Devel] Re: new version of kernel script is up

James Wysynski wysynskij@yahoo.com
Sat, 2 Nov 2002 08:53:04 -0800 (PST)

Or perhaps it can report both ports in that case; the
other port could be listed in the details for acks.   
Which way is the information most useful?  

Either way, it makes sense to me and shouldn't be that
hard to do; if people would find it useful I can make
the change.  I'm not going to have much time this
weekend but I can take a look at it next week.   

Can you send me some sample kernel log entries?


--- Kenneth Porter <shiva@sewingwitch.com> wrote:
> I'm getting some items in my iptables listings that
> are clearly dropped
> acks or orphaned inbound web connections, as they
> show port 80 in the
> source and some random ports for destination. The
> ones I'm seeing today all
> have SYN and ACK on, suggesting that they're the
> reply for connection
> establishment. I'm not sure why the connection
> tracking module isn't
> handling these and marking them as RELATED or
> ESTABLISHED to be caught by
> an earlier rule.
> Anyway, I'm wondering if it makes sense for the
> kernel script to report the
> source port instead of destination if the TCP ACK
> bit is on?
> _______________________________________________
> Logwatch-Devel mailing list
> Logwatch-Devel@logwatch.org

Do you Yahoo!?
HotJobs - Search new jobs daily now