watchguard packets dropped

I'm new to firewalling anything beyond the basics, and I have our Watchguard up and running and have moved one of our web sites behind it, so we're starting to see some traffic through it. I'm a tiny bit concerned that people with legitimate connections might be getting blocked because of some of the rules in the firewall.

For example, this first IP (24.38.17.25) seems to be a Comcast user trying to bring up a web site. Can someone give a brief insight into the reasons the firewall is blocking these connections?

"TCP RST packet without an associated connection" "TCP SYN checking: connection not established yet [-A---F];"

2007-11-19 21:02:56 Deny 24.38.17.25 xxx.xxx.xxx.xxx http/tcp 52480 80 0-External unknown TCP RST packet without an associated connection, firewall drop 40 241 (internal policy) tcpinfo="offset 5 R 1327508525 win 0"

2007-11-19 21:03:17 Deny 24.38.17.25 xxx.xxx.xxx.xxx http/tcp 52488 80

0-External 1-Trusted TCP SYN checking: connection not established yet [-A---F], firewall drop 52 49 (internal policy) tcpinfo="offset 8 FA 942952889 win 65535"

I'm also seeing some of these "Unhandled External Packet-00" connections being denied.

2007-11-19 21:14:04 Deny 67.15.135.144 xxx.xxx.xxx.xxx 54122/tcp 80 54122 0-External 1-Trusted denied 44 48 (Unhandled External Packet-00) tcpinfo="offset 6 SA 363997396 win 5840"

Thank you,

Reply to
steve.logan
Loading thread data ...

First, without knowing what rules you created there is little way to be sure what you have blocking for what reason.

Normally, the inbound connections only get blocked for a couple reasons:

1) No rule permitting inbound access 2) Malformed packets 3) Attack detected, IP blocked for 20 minutes automatically 4) Source IP part of hard block list

I've got a LOT of watchguard firewalls in service all over the country, what Model and what firmware are you using?

Reply to
Leythos

what's so hard to understand about that ... RST packets which are not part of an existing established connections should be dropped ! sounds like a portscan to me or some responses to spoofed connection attempts

Reply to
goarilla

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.