[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Steven Stremciuc <steve at freeslacker dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] overzealous firewall
 Date:  Tue, 25 Jan 2005 12:08:53 -0500
On Tue, 25 Jan 2005 00:05:38 -0700, Steven Stremciuc
<steve at freeslacker dot net> wrote:
> 
> Plenty of traffic still gets through to the web servers, but I see many
> blocked packets being logged (following just a snippet):
> 
> looks like they are being caught here:
> 
> 613953 @17 block in log quick on dc0 from any to any head 200
> 

It's hitting that because it's not matching an existing state entry. 
Generally you'll see this but it won't cause problems.  It's usually
from retransmitted packets or the last packets of a session.

As described in the ipfilter howto:

 "Due to the often laggy nature of the Internet, sometimes packets will
 be regenerated. Sometimes, you'll get two copies of the same packet,
 and your state rule which keeps track of sequence numbers will have
 already seen this packet, so it will assume that the packet is part of
 a different connection. Eventually this packet will run into a real
 rule and have to be dealt with. You'll often see the last packet of a
 session being closed get logged because the keep state code has
 already torn down the connection before the last packet has had a
 chance to make it to your firewall. This is normal, do not be
 alarmed."
 

> The way I noticed all those dropped packets was connections to the
> servers started dying, and the only way I could get it working again was
> to reset state tables. As soon as I did that connections through the
> m0n0wall became responsive again, but I noticed how many packets it's
> blocking.
> 

Existing connections died, or new connections weren't accepted, or?  

-Chris