I found this in my apache access logs
access.log:555.555.555.555 - - [05/May/2011:12:12:21 -0400] "GET /somedir/ HTTP/1.1" 403 291 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0"
access.log:555.555.555.555 - - [05/May/2011:12:12:29 -0400] "GET /somedir/ HTTP/1.1" 200 7629 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0"
So /somedir/ has .htaccess file which looks like
Order Deny,Allow
Deny from all
Allow from 333.333.333.333
Allow from 444.444.444.444
htaccess was not modified within timeframe (8 seconds between 12:12:21 and 12:12:29
Any ideas how this is possible to hit 403 Forbidden and then 8 sec later 200 OK; I'm puzzled
I believe that .htaccess is only checked at tcp session initiation, and with clever manipulation at the packet level it may still be possible to manipulate the frames so that the first frames have a fake IP only while the session is being setup, and the real session then have the real IP which you were trying to block.
This is why we have stateful firewalls -- htaccess is not a replacement for a firewall.
Either that, or your ,htaccess is not checked at all -- have you tested that it work? :-)