On Thu, Mar 14, 2002 at 04:13:54PM -0300, Bruno Negr?o wrote: > the fact is that these rules are dropping a lot of ACK FIN URGP packets, > as the log line bellow: > > Mar 13 18:37:06 skylane kernel: INPUT:New not syn:IN=eth0 OUT= > MAC=00:02:55:c0:fd:f1:08:00:02:0b:af:90:08:00 SRC=66.1.93.212 > DST=200.19X.XX.X LEN=40 TOS=0x00 PREC=0x00 TTL=43 ID=40237 DF PROTO=TCP > SPT=6346 DPT=1436 WINDOW=16060 RES=0x00 ACK FIN URGP=0 > > My question is: a packet like this can be insecure? Doesn't it function > just to finish a connection, instead of start an usecure connection?
Correct, these are not unusual packets. > And why these packets are not beeing recognized as ESTABLISHED, RELATED > packets? The conntrack for the connection timed out since the reply from the remote host took too long to arrive. Anything that generates a new conntrack (as this would, since there's no existing conntrack) is in state NEW. One solution is to change the tcp state timeouts in the kernel source and recompile. This has been detailed previously in the list, check the archives. However, I'm told that a patch will be released in the near future to more accurately determine appropriate values for the timeouts. You may wish to wait till this work is done rather than mess around with the values yourself. -- Scottie Shore <[EMAIL PROTECTED]> "Experience is that marvelous thing that enables you to recognize a mistake when you make it again." -- F. P. Jones
msg00927/pgp00000.pgp
Description: PGP signature
