On Wed, 5 Jun 2002, Nick Drage wrote: > > It's 1 months that I'm having troubles with the conntrack. I have a > > lot of packets like 'new not syn'(you know what I'm talking about..) > > with some combos of flags on them: > > > > ACK FIN > > ACK PSH FIN > > ACK RST > > ACK only > > Hi. Sorry, I don't have much to add, except to reassure you that I've seen > similar in my logs. I hope you will keep the mailing list informed on any > progress you make, I hope I can add to your research at some point. >
Since day one, Shorewall has included the following rule: 457 67312 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x10/0x10 As you can see, I get a fair number packets with the ACK flag that aren't picked up by an earlier ESTABLISHED,RELATED rule. After experimenting with various strategies (DROP, REJECT --reject-with tcp-reset), I settled on ACCEPT as it seemed to have the fewest side effects. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED]
