I believe Kenneth is correct. This log message is your iptables notifying you that hosts with NAT sessions it believes to be finished, timed-out, or non-existant, are trying to re-use the a previous session rather than establishing a new session. The log entry you have given however, shows that your DMZ server is trying to re-open old sessions backward through the NAT to your workstation. The information you have given implies that you establish sessions from your workstation outbound to the DMZ server. Therefore it is your workstation that is responsible for maintaining any open sessions. The question you should be asking is: What, if any, service running on your DMZ server would require it to attempt connecting to your workstation? The answer should be: nothing. That would be insecure and possibly dangerous. I would start looking very carefully at the DMZ server to determine if it has been compromised. See if one of the CISSP's here on the list could give you a hand with the forensics. On 9/25/06, Kenneth wrote: > > > > Sep 25 18:46:55 helen kernel: IN=eth0 OUT= > > MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=192.168.21.11 > > DST=192.168.20.31 LEN=308 TOS=0x10 PREC=0x00 TTL=63 ID=40237 DF > PROTO=TCP > > SPT=22 DPT=57702 WINDOW=2160 RES=0x00 ACK PSH URGP=0 > > I see occasional messages like these. I always assumed it was from old > connections, so the connection tracking had forgotten them. I never tried > to > track them down further. > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >