I've got one particular host on a LAN (sis0) that is trying to talk to
a machine on the DMZ, but all TCP traffic appears to be blocked by
this very early set of "rules"
@29 skip 1 in proto tcp from any to any flags S/FSRA
@30 block in log quick proto tcp from any to any
Here are a couple of log entries
Feb 9 15:09:12 firewall ipmon: 15:09:12.276053 sis0 @0:30 b
-> 66.XXX.XXX.20,25 PR tcp len 20 52 -AF IN
Feb 9 15:09:54 firewall ipmon: 15:09:54.174472 sis0 @0:30 b
-> 66.XXX.XXX.20,25 PR tcp len 20 64 -A IN
This doesn't look like the default deny rule since it is so early. So
I am guessing that there is something about a tcp packet with flags
that don't match S/FSRA that is considered worth blocking right away.
Reading ipf.conf, I take @29 to mean that out of the FIN, SYN, RST,
and ACK only the SYN flag should be set. But I don't understand TCP
enough to understand why that should be the case. (In fact, it seems
backwards to me)
Can anyone explain to me or point me toward docs that would help me
understand what this is about? And why one of my systems (the source
of these) would be generating these bad packets. Note that I am
trying to get that system to talk to port 25 on the destination
system. I am expecting port 25 traffic, but I find it blocked.
Jeffrey Goldberg http://www.goldmark.org/jeff/