[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: Unexpected RSTs?
From:       Martijn Klingens <mklingens () ism ! nl>
Date:       2002-10-16 13:36:52
[Download RAW message or body]

On Friday 11 October 2002 16:29, Martijn Klingens wrote:
> On Friday 11 October 2002 15:03, Antony Stone wrote:
> > Maybe you could try putting a LOG rule to catch *all* RSTs at the
> > beginning of your rules (before even the ESTABLISHED, RELATED rule) and
> > see if this shows they are coming along in pairs ?
>
> Good idea. I'm not going to modify the firewall so close before the
> weekend, but will do so next monday. Thanks for the tip and I'll let you
> know about the results!

Just did some small tests, and unfortunately this idea seems to be incorrect.

Each 'unexpected rst' has exactly *ONE* RST coming in, so it's not a duplicate 
entry being dropped, it's a unique entry.

Also, the IP addresses causing unexpected RSTs are sending accepted RSTs later 
on in the firewall log with a slightly higher port number, so it looks like 
the senders are legitimate and not malicious users.

Do you have any other ideas why the RSTs are not accepted by the conntrack 
code as 'related' ?

-- 
Martijn


[prev in list] [next in list] [prev in thread] [next in thread]