Re: Is this an attack, a misconfigured firewall or an error inprotocol?

Sun, 03 Mar 2002 22:20:47 -0800 


Hmmm...this is is interesting.  Steve happens to be running my 
firewall scripts (with his help, we got the DHCP sections 
debugged, but this has nothing to do with his current problem).  
I'm running the same scripts, with the exception of any local 
rules peculiar to our sites).  I do, but only very rarely, see 
the types of log messages he's given examples of (source port 
21, 80, 53; high-order dest. port).  Scott's explanation does 
indeed appear plausible, however.  I'm running all of the 
Netfilter modules hard-compiled into my kernels and have been 
using the iptables RPMs rather than source.  This has got me 
scratching my head also.  Any advice appreciated here...if the 
only fix is to alter the timeouts in the source code, I guess 
there isn't much I need to do with the scripts.

TIA  --  Bob   


On Sun, 3 Mar 2002 [EMAIL PROTECTED] wrote:

> On Sun, Mar 03, 2002 at 10:22:55PM -0500, Steven W. Orr wrote:
> > I'm getting some firewall messages here and I'm suspecting that they're 
> > not attacks; that they are some fault in the firewall.
> > 
> > Mar  2 21:07:29 saturn kernel: TCP drop IN=eth0 OUT= 
> > MAC=00:e0:81:05:43:80:00:30:19:31:73:a8:08:00 SRC=66.120.90.134 
> > DST=146.115.228.77 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=0 DF PROTO=TCP 
> > SPT=80 DPT=35854 WINDOW=0 RES=0x00 RST URGP=0 
> 
> You're correct, they're probably not attacks. The problem is that the 
> conntrack expires before both ends agree that the connection is closed.
> 
> Unfortunately, it's at your end. You could try to correct it by extending 
> the TCP conntrack timeouts in the source and recompiling, but the tradeoff 
> is that you'll have more connections consuming memory for longer, 
> especially if the remote host up and dies.
> 
> You could also put in a few rules to ignore the RST packets and reset the 
> other wayward packets. This would certainly be more friendly to the remote 
> hosts that are waiting for a reply. (Out of curiosity, is the 
> --reject-with tcp-reset rate-limited?)

-- 
________________________________________
Bob Sully - Simi Valley, California, USA
http://www.malibyte.net

"The weather is here - wish you were beautiful." - J. Buffett


























					Reply via email to