Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 2 subscribers
  • Views 7714 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Packet Filter Logging Question

scottj_01
All-

I need some advice regarding packet filter logging. It seems that when content is delivered from Akami Technologies their servers leave a large number of logs usually ending with tcpflag RST. Please see example enclosed. My question is how do I prevent this needless logging? Mods I may have placed my post in an incorrecty under network security in place of management, logging.... Please relocate if necessary.

Thanks,
Jim

2011:05:05-12:44:14 OASIS ulogd[5189]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="0:90:1a:a1:41:27" dstmac="0:24:7e:x:y:z" srcip="69.31.28.242" dstip="173.A.B.76" proto="6" length="40" tos="0x00" prec="0x00" ttl="253" srcport="443" dstport="3097" tcpflags="RST" 
2011:05:05-12:44:14 OASIS ulogd[5189]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="0:90:1a:a1:41:27" dstmac="0:24:7e:x:y:z" srcip="69.31.28.232" dstip="173.A.B.76" proto="6" length="40" tos="0x00" prec="0x00" ttl="253" srcport="443" dstport="3119" tcpflags="RST" 
[:S]


This thread was automatically locked due to age.
Parents
  • 0
    Jim, the packets you show being dropped are "uninvited" responses that the connection tracker isn't recognizing.  Billybob (I think it was) pointed out last year, in a discussion about QoS, that you need a different service definition.  Try something like "Uninvited" = 443 -> 1:65535.  Then put that in the place of "Web Surfing" in your PF rule.  I don't think that will bother real responses since conntrac should accept valid ones before the manual PF rules are consulted.

    Did that work?

    Cheers - Bob
Reply
  • 0
    Jim, the packets you show being dropped are "uninvited" responses that the connection tracker isn't recognizing.  Billybob (I think it was) pointed out last year, in a discussion about QoS, that you need a different service definition.  Try something like "Uninvited" = 443 -> 1:65535.  Then put that in the place of "Web Surfing" in your PF rule.  I don't think that will bother real responses since conntrac should accept valid ones before the manual PF rules are consulted.

    Did that work?

    Cheers - Bob
Children
No Data