Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 2 subscribers
  • Views 7320 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Suspicious TCP state ?

Sn@g9l3pu5s
How do you know if Suspicious TCP state are being reject or Drop

I am seeing a lot the logs 

09:48:58  Suspicious TCP state  TCP 174.36.179.119  :  6005 ? 
209.200.9.78  :  3584 [ACK SYN]  len=40  ttl=105  tos=0x00


08:52:14  Suspicious TCP state  TCP 74.208.172.18  :  80 ?  209.200.9.78  :  1234   [ACK RST]  len=40  ttl=52 tos=0x00 

 how would i know if they were drop, reject or do UTM9 just let them pass


This thread was automatically locked due to age.
Parents
  • 0
    Hi Dougga,

    It is dropped.

    Just had a look at my test unit's firewall rules. That entry is triggered by a sanity check chain in the firewall and fwrule=60009 indicates it's dropped.

    For everyone's reference, the 6000x rules are UTM drop rules. From what I can see, the rules correspond as follows:

    60001 - INPUT Chain
    60002 - FORWARD Chain
    60003 - OUTPUT Chain
    60005 - OUTPUT Chain (something to do w/ webadmin & nonpriv ports)
    60009 - STRICT_TCP_STATE
Reply
  • 0
    Hi Dougga,

    It is dropped.

    Just had a look at my test unit's firewall rules. That entry is triggered by a sanity check chain in the firewall and fwrule=60009 indicates it's dropped.

    For everyone's reference, the 6000x rules are UTM drop rules. From what I can see, the rules correspond as follows:

    60001 - INPUT Chain
    60002 - FORWARD Chain
    60003 - OUTPUT Chain
    60005 - OUTPUT Chain (something to do w/ webadmin & nonpriv ports)
    60009 - STRICT_TCP_STATE
Children
No Data