[ previous ] [ next ] [ threads ]
 From:  Peter Allgeyer <allgeyer at web dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Packets blocked for seemingly no reason
 Date:  Mon, 02 May 2005 11:17:34 +0200
Am Sonntag, den 01.05.2005, 23:14 -0500 schrieb Zach Lowry:
> May  1 22:57:57 ipmon[130]: 22:57:57.289976 sis1 @0:31 b
>,41262 ->,80 PR tcp len 20 52 -AF IN

This is a blocked IP packet with tcp options set (FIN, ACK). It's surely
no outgoing _request_. The above tcp packet wants to close a tcp
connection (or -- more unlikely -- answers to a closing request from the
remote side) the firewall doesn't know anything about (anymore). What
can cause this behaviour?

a) The firewall has a tcp state table timeout (and nat table timeout,
too, I believe). By default, tcp times out at 2.5 hours (since 1.2b2).
Maybe your webbrowser asks to terminate a tcp connection your firewall
has seen the last packet more than 2.5 hours ago.

b) Problems with recognising and relating the FIN and FIN,ACK packets at
the end of a connection.

Does this log entry cause any problems?

Ciao ...
	... PIT ...

 copyleft(c) by |           "Besides, I think  Slackware  sounds better
 Peter Allgeyer |   _-_     than 'Microsoft,' don't you?" (By Patrick
                | 0(o_o)0   Volkerding)