INVALID state and no known connection.
Hi As we know iptables INVALID state means, that the packet is associated with no known connection, right? So, if I have a lot of INVALID entries in my log files, does it means, that something is wrong? Hidden process etc.? An example of logged entries; t4 kernel: [18776.221378] [INVALID in] IN=eth0 OUT= MAC=mac_address SRC=173.194.70.189 DST=192.168.5.200 LEN=40 TOS=0x00 PREC=0x00 TTL=45 ID=8371 PROTO=TCP SPT=443 DPT=45458 WINDOW=0 RES=0x00 RST URGP=0 t4 kernel: [18262.496058] [INVALID out] IN= OUT=eth0 SRC=192.168.5.200 DST=213.180.146.88 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=18981 DF PROTO=TCP SPT=37190 DPT=80 WINDOW=16576 RES=0x00 ACK FIN URGP=0 For example, lsof -i -n -P command shows only ESTABLISHED connections; nothing strange, nothing more. Best regards.
Re: INVALID state and no known connection.
On Tue, Apr 9, 2013 at 11:18 PM, Daniel Curtis sidetripp...@gmail.comwrote: Hi As we know iptables INVALID state means, that the packet is associated with no known connection, right? So, if I have a lot of INVALID entries in my log files, does it means, that something is wrong? Hidden process etc.? Just to be sure ... INVALID meaning that the packet could not be identified for some reason which includes running out of memory Enough free RAM in that box? -- andika
Re: INVALID state and no known connection.
Hi andika. Another INVALID packet description. I read a lot of information and I don't know what is the truth. Frankly, the first time I see a description, which concerns RAM memory. So, I have a 1 GB of RAM memory. Just for example; free -m command result; used: 640, free: 230 and top command; 891896k total, 677284k used, 214612k free As we can see, system detected 870 MB instead 1 GB (1024 MB). So what is the relationship between INVALID packets and RAM memory? Honestly, I don't understand it.
Re: INVALID state and no known connection.
Hi Daniel, On 09/04/13 21:05 +0200, Daniel Curtis wrote: Hi andika. Another INVALID packet description. I read a lot of information and I don't know what is the truth. Frankly, the first time I see a description, which concerns RAM memory. So, I have a 1 GB of RAM memory. Just for example; free -m command result; used: 640, free: 230 and top command; 891896k total, 677284k used, 214612k free As we can see, system detected 870 MB instead 1 GB (1024 MB). So what is the relationship between INVALID packets and RAM memory? Honestly, I don't understand it. The infomation about connections is stored in /proc/net/ip_conntrack. The maximum connections being tracked are configured in /proc/sys/net/ipv4/netfilter/ip_conntrack_max. If you have a lot of connections, you might want to increase the values (f.e. if you use bittorrent or similar protocols). Every connections beeing tracked needs some RAM. You could also check, if the connections timed out and then increase the timeout values. HTH Rolf -- Tres tristes tigres comen trigo en un trigal: un tigre, dos tigres, tres tigres. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130409195137.gu26...@vzsze.de
Re: INVALID state and no known connection.
This whole discussion seems off-topic to me, but I'll try to clear this up. Daniel, I believe you are seeing a syslog tag called '[INVALID in] ' or '[INVALID out] ', nothing more. See the LOG target in the iptables man page (eg, -j LOG --log-prefix '[INVALID in] '). On 2013-04-09, at 3:51 PM, Rolf Kutz r...@vzsze.de wrote: Hi Daniel, On 09/04/13 21:05 +0200, Daniel Curtis wrote: Hi andika. Another INVALID packet description. I read a lot of information and I don't know what is the truth. Frankly, the first time I see a description, which concerns RAM memory. So, I have a 1 GB of RAM memory. Just for example; free -m command result; used: 640, free: 230 and top command; 891896k total, 677284k used, 214612k free As we can see, system detected 870 MB instead 1 GB (1024 MB). So what is the relationship between INVALID packets and RAM memory? Honestly, I don't understand it. The infomation about connections is stored in /proc/net/ip_conntrack. The maximum connections being tracked are configured in /proc/sys/net/ipv4/netfilter/ip_conntrack_max. If you have a lot of connections, you might want to increase the values (f.e. if you use bittorrent or similar protocols). Every connections beeing tracked needs some RAM. You could also check, if the connections timed out and then increase the timeout values. HTH Rolf -- Tres tristes tigres comen trigo en un trigal: un tigre, dos tigres, tres tigres. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130409195137.gu26...@vzsze.de -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2214718b-f125-46f1-96ea-9d81c8f74...@vianet.ca
External check
CVE-2013-0791: TODO: check CVE-2013-0800: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5163b84e.idivkedp87yk8g86%atomo64+st...@gmail.com
OSVDB 72183
I'm getting flagged for http://osvdb.org/72183 On Debian Stable - can't find where this has been addressed? Is this a live or valid issue? Karl Schmidt EMail k...@xtronics.com Transtronics, Inc. WEB http://secure.transtronics.com 3209 West 9th Street Ph (785) 841-3089 Lawrence, KS 66049 FAX (785) 841-0434 Truth is mighty and will prevail. There is nothing wrong with this, except that it ain't so. --Mark Twain -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51645854.4030...@xtronics.com
