The address involved is the PAT address for one subnet, so yes, it could well have been a conversation initiated by a host on our network, but when I checked the translation tables were empty. Unfortunately, the logging is so verbose (for translataions) that we don't have it enabled, so we can only tell if a conversation is active.
I've been flat out here -- but I've tried to stay on this thread ..
Are you guys sure that this isn't the server end of the ip-over-dns software (nstxd) trying to get data back to the now non-existent client?
It would have made it through your statefull kit if it was initiated from that problem address of yours (Paul), originally.
Paul Schmehl (pauls@xxxxxxxxxxxx) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html