Kinkie wrote:
> On 5/4/07, Pat Riehecky <prieheck@iwu.edu> wrote:
>> I just put iptables on our squid box and noticed some very strange
>> activity (IPs have been changed to protect the innocent):
>>
>> [44165032.820000] Dropped default (OUTPUT): IN= OUT=eth0
>> SRC=MY.PROXY.IP.ADDRESS DST=SOME.RANDOM.IP.ADDR LEN=40 TOS=0x00
>> PREC=0x00 TTL=64 ID=41807 DF PROTO=TCP SPT=3128 DPT=2660 WINDOW=7140
>> RES=0x00 ACK PSH FIN URGP=0
>>
>> I have literally thousands of these where it looks like squid is
>> actively opening connections (well trying...) to the outside world. The
>> intervals are somewhat random (and if you really care I can extrapolate
>> them).
>
> It's probably a problem with iptables, not squid.
> What's probably happening is that your iptables rules include some
> rules that accept packets for sessions in a RELATED or ESTABLISHED
> state. And session management is the problem, because sesssions have
> their own timeout.
> ...
> In other words, nothing to worry about
That supposes that the connection are with legitimate clients, but since the
OP referred to "SOME.RANDOM.IP.ADDR", and "connections ... to the outside
world", I suspect it was an open proxy.
Received on Fri May 04 2007 - 13:46:12 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:04 MDT