I am running RHEL 3, with APF firewall on a dedicated server. This is a web server in a data center, so I have most things tightened up. No one is allowed to login to the machine but me (ssh). I have users who use http, https, pops, smtp, imap.
APF is dropping outgoing packets like these, and I would like to figure out how/why/by whom they are being sent. How can I get back from these /var/log/messages to the process?
Code:
Mar 11 07:26:28 roseland kernel: ** OUT_TCP DROP ** IN= OUT=eth0 SRC=67.18.50.202
DST=80.116.190.98 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=63778 DF PROTO=TCP SPT=80
DPT=2038 WINDOW=5840 RES=0x00 ACK FIN URGP=0
Mar 11 02:00:07 roseland kernel: ** OUT_UDP DROP ** IN= OUT=eth0 SRC=67.18.50.202
DST=67.18.50.201 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=7 DF PROTO=UDP SPT=43196
DPT=123 LEN=56
Mar 11 08:40:10 roseland kernel: ** OUT_TCP DROP ** IN= OUT=eth0 SRC=67.18.50.202
DST=213.217.51.3 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=42317 DF PROTO=TCP SPT=80
DPT=62186 WINDOW=6432 RES=0x00 ACK URGP=0