On Wed, May 4, 2022 at 12:03 PM Tuomo Soini <t...@foobar.fi> wrote: > > > May 4 08:04:22 fw1 kernel: FWGW:wan-lan1:DROP:IN=wan OUT=lan.1 > > MAC=ac:1f:6b:9b:85:06:30:85:a9:8e:b9:a0:08:00 SRC=23.200.66.154 > > DST=10.215.248.214 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=38801 DF > > PROTO=TCP SPT=443 DPT=64710 WINDOW=123 RES=0x00 ACK URGP=0 > > This is not FIN or RST.
Sorry, I thought it was FIN as /usr/share/shorewall/action.FIN contains the ACK tcp flag. > And you don't want to allow this type of > packets, those are so called late replies - eg replies for connections > which have been long gone. That's what puzzles me. When is a reply considered to be late? When it's removed form the conntrack table, I suppose. What is the conntrack table entry timeout? Does the following value have anything to do with it? # sysctl net.netfilter.nf_conntrack_tcp_timeout_established net.netfilter.nf_conntrack_tcp_timeout_established = 86400 I'm trying to understand why I'm getting these late ACK replies because I'm seeing too many of them. Sure, I could hide them from the shorewall log, but I need to make sure they are not a symptom of a problem. Thanks, Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
