[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: blocking low ports?
From:       Jim Sandoz <sandoz () lucent ! com>
Date:       2001-03-31 3:29:45
[Download RAW message or body]


matthew,

the next to last field in the log entry shows the TCP flags
which were set on the logged packet.

the "-R" in your case indicates that the RST flag was set
on this particular packet.  RST as you know is sent as part
of the closing stage of a TCP connection.

what does this mean to you?  well, what probably happened
was that the ipf state keeping mechanism had already torn
down the state entry for the connection, and then this RST
packet came along, didn't meet any current state criteria
nor any filter rules, and thus was blocked and logged by
your rule 22.  but it's nothing to worry about, just a "stray",
due to a lost ACK packet from your side or some other
harmless malady.

i see -R's, and -AR's, in my logs as well.

jim


matthew zeier wrote:

> I see this in my log:
>
> Mar 30 18:40:06 ch3-uweb1 ipmon[107]: [ID 702911 local0.warning]
> 18:40:06.115455 hme0 @0:22 b 209.189.86.250,8997 -> destip,80 PR tcp len 20
> 65 -R IN
>
> The rules I have are:
>
> @11 pass in quick on hme0 proto tcp from any to any port = 80 flags S/SA
> keep state
>
> @22 block in log quick on hme0 from any to any
>
> How come I get some random hits to my log like that?
>
> --
> matthew zeier -  "Chance is irrelevant - we will succeed." - 7 of 9

[prev in list] [next in list] [prev in thread] [next in thread]