On 07/10/2017 01:25 AM, Vieri Di Paola via Shorewall-users wrote: > Hi, > > I'm getting a considerable amount of log messages such as this one: > > kernel: Shorewall:dropNotSyn:DROP:IN=enp9s6 OUT= > MAC=00:0d:88:cd:7f:c6:50:67:f0:af:f4:57:08:00 SRC=173.194.153.82 > DST=192.168.101.2 LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=29119 PROTO=TCP > SPT=443 DPT=58079 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x3 > > What does it mean exactly? >
This happens when Netfilter believes that flow is closed and deletes the
conntrack entry, while one of the end-points still thinks that the flow
is alive and sends an RST. In my own ruleset, I handle this with:
RST(ACCEPT) { SOURCE=all, DEST=all }
I have also seen similar problems with SYN,PSH,ACK packets, and added a
FIN action in 5.1.5. I use it similarly:
FIN(ACCEPT) { SOURCE=ALL, DEST=all }
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
