Firewall TCP SYN Issue

I keep getting this type of drop through my firewall. Can someone explain to me why this might be happening, how to get rid of them, or a better filter policy?

Thanks in advance,

10:02:05 firewall,info DROP INPUT input: in:Qwest-DSL out:(none), proto TCP (SYN), 218.3.204.139:51241->216.161.26.122:5900, len 40
10:02:05 firewall,info DROP INPUT input: in:Qwest-DSL out:(none), proto TCP (SYN), 218.3.204.139:51291->216.161.26.122:5900, len 40
10:02:06 firewall,info DROP INPUT input: in:Qwest-DSL out:(none), proto TCP (SYN), 218.3.204.139:51312->216.161.26.122:5900, len 40
10:02:06 firewall,info DROP INPUT input: in:Qwest-DSL out:(none), proto TCP (SYN), 218.3.204.139:51323->216.161.26.122:5900, len 40
10:02:07 firewall,info DROP INPUT input: in:Qwest-DSL out:(none), proto TCP (SYN), 218.3.204.139:51337->216.161.26.122:5900, len 40
10:02:07 firewall,info DROP INPUT input: in:Qwest-DSL out:(none), proto TCP (SYN), 218.3.204.139:51353->216.161.26.122:5900, len 40
10:02:07 firewall,info DROP INPUT input: in:Qwest-DSL out:(none), proto TCP (SYN), 218.3.204.139:51367->216.161.26.122:5900, len 40
10:02:08 firewall,info DROP INPUT input: in:Qwest-DSL out:(none), proto TCP (SYN), 218.3.204.139:51788->216.161.26.122:5900, len 40
10:02:08 firewall,info DROP INPUT input: in:Qwest-DSL out:(none), proto TCP (SYN), 218.3.204.139:52605->216.161.26.122:5900, len 40
10:02:09 firewall,info DROP INPUT input: in:Qwest-DSL out:(none), proto TCP (SYN), 218.3.204.139:52616->216.161.26.122:5900, len 40
10:06:12 firewall,info DROP INPUT input: in:Qwest-DSL out:(none), proto TCP (SYN), 211.147.247.234:6000->216.161.26.122:135, len 20
10:15:42 firewall,info DROP INPUT input: in:Qwest-DSL out:(none), proto TCP (SYN), 216.155.128.173:3903->216.161.26.122:135, len 28
10:15:42 firewall,info DROP INPUT input: in:Qwest-DSL out:(none), proto TCP (SYN), 216.155.128.173:3903->216.161.26.122:135, len 28
10:15:43 firewall,info DROP INPUT input: in:Qwest-DSL out:(none), proto TCP (SYN), 216.155.128.173:3903->216.161.26.122:135, len 28


-tp

Could be lots of things. Did you disable connection tracking in the firewall? Assuming you are NAT’ing, you need connection tracking enabled. Did a host inside the firewall initiate a connection to the host from which the packets are coming? If so, maybe the outside host is responding to a request to start a TCP connection.

When a packet arrives at an interface with a destination IP matching an address on the router, then the system will look in the connection table to see if the packet is a reply to a NAT’ed connection initiated through a forward of a packet which hit on a NAT rule previously. If there is a matching connection, then the packets goes through the Forward chain, the NAT fix ups are done, or undone if you like, and the packet sent back out an interface. If there is no matching connection, then the router has to assume the packet is destined for a process on the router itself and the packet is passed through the Input chain.

It is common to see all sorts of hosts on the Internet sending packets to your public IP which will go nowhere. For example, you will see port 135 and port 445 as viruses try to propogate themselves. You will see left-over Bittorrent traffic coming in to your public IP. You will see port 22 traffic from script kiddies trying to guess your SSH password.