On 27 Dec 2013, at 07:39, Nyamul Hassan <nya...@gmail.com> wrote: > Hi, > > Recently, we had some DDoS type attacks on our servers, so in an > attempt to secure our systems, we added some iptables rules, which > seems to work quite well on most of our servers. > > Even on systems dedicated to Squid, all seems to run well. However, > one rule in particular seems to catch up a lot of entries in Squid > machines, which are almost non-existent on the other non-Squid > machines: > > -A OUTPUT -p tcp -m tcp --tcp-flags RST RST -j OUTRST -m comment > --comment "OUTPUT: Catch RST pkt" > -A OUTRST -j LOG --log-prefix "OUTRST: " > -A OUTRST -j DROP -m comment --comment "OUTRST: Drop outbound RST" > > From what we have seen, this does not seem to have a detrimental > affect on Squid Proxy. But, out of academic interest, we would still > like to learn more on why so many RST packets would be generated from > the server itself. > > Can anyone shed some light?
Hi Hassan, I guess that one of the reasons is that a proxy has way different traffic patterns than almost any other server: it talks to a lot of unreliably reachable servers, and as such it can have more often to reinitialise the TCP state of a connection. There may be other reasons, with slightly different motivations but the same pattern. For instance: - squid tries to keep TCP connection alive - firewall on the server side has too-short session timeout - firewall on server side silently drops connection - squid gives up on keep alive, closes TCP session - firewall drops FIN because no session in its session table - squid RST This pattern occurs more often than you'd think Kinkie