[ previous ] [ next ] [ threads ]
 
 From:  Zach Lowry <zach at zachlowry dot net>
 To:  Peter Allgeyer <allgeyer at web dot de>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Packets blocked for seemingly no reason
 Date:  Mon, 02 May 2005 07:18:57 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter Allgeyer wrote:
| This is a blocked IP packet with tcp options set (FIN, ACK). It's surely
| no outgoing _request_. The above tcp packet wants to close a tcp
| connection (or -- more unlikely -- answers to a closing request from the
| remote side) the firewall doesn't know anything about (anymore). What
| can cause this behaviour?

Yes, I suspected this. I noticed this only on connections that maintain
a persistent connection, lke IMAP.

| a) The firewall has a tcp state table timeout (and nat table timeout,
| too, I believe). By default, tcp times out at 2.5 hours (since 1.2b2).
| Maybe your webbrowser asks to terminate a tcp connection your firewall
| has seen the last packet more than 2.5 hours ago.
|
| b) Problems with recognising and relating the FIN and FIN,ACK packets at
| the end of a connection.
|
| Does this log entry cause any problems?

Basically, it's an annoyance, because my log monitoring software reports
my IPs as the most actively blocked. Oh sure, I could block it, but then
what if there really was a problem with one of those IPs?

- --
Zach Lowry
MTSU, Murfreesboro, TN
zach at zachlowry dot net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCdhqxgdZCZBzmiU4RApAiAJ0RMq0Bl9J81krUI4rMs1NAZUjvjwCfW30W
w4Cw6QM+x5w2c++kTUCUDBY=
=rbQZ
-----END PGP SIGNATURE-----