From: netfilter@interlinx.bc.ca
To: netfilter-devel@lists.netfilter.org
Subject: Weird results with tcp-window-tracking patch
Date: Wed, 6 Nov 2002 10:32:59 -0500 [thread overview]
Message-ID: <20021106153259.GC12743@pc.ilinx> (raw)
[-- Attachment #1: Type: text/plain, Size: 2000 bytes --]
I have the tcp-window-tracking patch applied to my firewall's kernel.
For reference, the dates on the first hunk in the
./extra/tcp-window-tracking.patch are as follows:
--- linux-2.4.19-base/include/linux/netfilter_ipv4/ip_conntrack_tcp.h Fri Oct 18 11:38:10 2002
+++ linux-2.4.19-tcp-window/include/linux/netfilter_ipv4/ip_conntrack_tcp.h Fri Oct 18 11:56:35 2002
Anyway, I have been seeing some strange results from the patch. I
have lots of these from the last 12 or so hours:
04:16:48 kernel SRC=195.33.98.115 DST=205.210.52.208 LEN=64 TOS=0x00 PREC=0x00 TTL=37 ID=1 PROTO=TCP SPT=57376 DPT=53 SEQ=232119966 ACK=1365344649 WINDOW=2048 RES=0x00 SYN URGP=0 ip_conntrack_tcp: INVALID: Out of window data; SEQ is under the lower bound (retransmitted already ACKed data)
04:16:49 kernel SRC=195.33.98.115 DST=205.210.52.208 LEN=64 TOS=0x00 PREC=0x00 TTL=37 ID=2 PROTO=TCP SPT=57380 DPT=53 SEQ=2911162149 ACK=4054392719 WINDOW=2048 RES=0x00 SYN URGP=0 ip_conntrack_tcp: INVALID: Out of window data; SEQ is under the lower bound (retransmitted already ACKed data)
04:16:50 kernel SRC=195.33.98.115 DST=205.210.52.208 LEN=64 TOS=0x00 PREC=0x00 TTL=37 ID=3 PROTO=TCP SPT=57382 DPT=53 SEQ=2104223658 ACK=1098213046 WINDOW=2048 RES=0x00 SYN URGP=0 ip_conntrack_tcp: INVALID: Out of window data; SEQ is under the lower bound (retransmitted already ACKed data)
It seems to me that these are just regular run-of-the-mill initial SYN
packets (i.e. packet one of the TCP three-way handshake) for TCP DNS
queries of my name server (even though I don't have one -- from the
number of both UDP and TCP DNS queries I am getting, the previous
owner of my IP address must have a name server running).
Why would these be flagged as "Out of window data" packets when in
reality they are just a simple violation of the rules I have
installed? Doesn't there have to be an established TCP session in
order to determine if there is any "Out of window data"?
b.
--
Brian J. Murrell
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
reply other threads:[~2002-11-06 15:32 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20021106153259.GC12743@pc.ilinx \
--to=netfilter@interlinx.bc.ca \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.