This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Many port 25 TCP SYN Logs in Violation Log

Been seeing a constant flow of these types packets to multiple hosts I have in a DMZ setup. These hosts are running web servers with only port 80 via packet filters and NAT.

20:54:49 208.169.18.225 27322  ->  172.18.0.86 25 TCP SYN
20:54:52 208.169.18.225 27322  ->  172.18.0.86 25 TCP SYN
20:54:57 216.219.253.238 39930  ->  172.18.0.79 25 TCP SYN
20:54:58 208.169.18.225 27322  ->  172.18.0.86 25 TCP SYN
20:54:59 209.246.228.170 11523  ->  172.18.0.86 25 TCP SYN
20:55:00 199.212.134.4 1177  ->  172.18.0.86 25 TCP SYN

Any clue why? This is coming from a variety of hosts.

This thread was automatically locked due to age.

0 Marcel_01 over 22 years ago

your hosts use private IPs, so you're using DNAT do forward requests on port 80 to them... maybe you DNAT any port to the server, but only allow port 80 in packetfilter... if this is correct, you may wanna check the MX for the domainname the servers use... maybe people think they can deliver mail to this webserver...!?

hth
/marcel
Cancel
Vote Up 0 Vote Down

Cancel
0 Joe_Halleck over 22 years ago in reply to Marcel_01

That or I have this many peeps scanning these hosts for mail servers.
MX records don't exist for these host "outside" ip's

I am using nat rule to these hosts using "any" then controlling via packet filter for more of convience so not to have to create seperate nat rules for each proto I want to pass.

What is best way perfomance wise to define this type of setup?
Cancel
Vote Up 0 Vote Down

Cancel