Connectings FROM port 80: friend or foo?

evert · October 4, 2004, 9:15am

Hi everyone!

Just wondering: My Mikrotik is currently blocking certain TCP connections coming from port 80:

Oct  4 11:10:45 mikrotik Firewall-Log: input->DROP, in:WAN, out:(local), src-mac 00:02:17:83:78:20, prot TCP (ACK,PSH), [THEM]:80->[ME]:53313, len 823
Oct  4 11:10:47 mikrotik Firewall-Log: input->DROP, in:WAN, out:(local), src-mac 00:02:17:83:78:20, prot TCP (ACK,PSH), [THEM]:80->[ME]:53313, len 823
Oct  4 11:10:52 mikrotik Firewall-Log: input->DROP, in:WAN, out:(local), src-mac 00:02:17:83:78:20, prot TCP (ACK,PSH), [THEM]:80->[ME]:53313, len 823
Oct  4 11:11:03 mikrotik Firewall-Log: input->DROP, in:WAN, out:(local), src-mac 00:02:17:83:78:20, prot TCP (ACK,PSH), [THEM]:80->[ME]:53313, len 823
Oct  4 11:11:22 mikrotik Firewall-Log: input->DROP, in:WAN, out:(local), src-mac 00:02:17:83:78:20, prot TCP (ACK,PSH), [THEM]:80->[ME]:53313, len 823
Oct  4 11:12:03 mikrotik Firewall-Log: input->DROP, in:WAN, out:(local), src-mac 00:02:17:83:78:20, prot TCP (ACK,PSH), [THEM]:80->[ME]:53313, len 823

[THEM] is a website I was visiting. Should I open up for connects like these? What are the advantages/disadvantages of doing so?

rgenovesi · October 5, 2004, 9:26pm

I believe these are usually late returning packets whos connection time limit has expired.

For example: you connect to website-A, a session is established that lets return packets through the firewall. You close your browser or move onto another site… eventually the connection expires and return packets from website-A are no longer accepted - hence the late packets getting rejected and logged.

I would not recommend making any changes to your firewall rules. This behavior is considered “typical”.

-r