I have the tcp-window-tracking patch applied to my firewall's kernel.
For reference, the dates on the first hunk in the
./extra/tcp-window-tracking.patch are as follows:

--- linux-2.4.19-base/include/linux/netfilter_ipv4/ip_conntrack_tcp.h Fri Oct 18 11:38:10 2002
+++ linux-2.4.19-tcp-window/include/linux/netfilter_ipv4/ip_conntrack_tcp.h Fri Oct 18 11:56:35 2002

Anyway, I have been seeing some strange results from the patch.  I
have lots of these from the last 12 or so hours:

04:16:48 kernel SRC=195.33.98.115 DST=205.210.52.208 LEN=64 TOS=0x00 PREC=0x00 TTL=37 ID=1 PROTO=TCP SPT=57376 DPT=53 SEQ=232119966 ACK=1365344649 WINDOW=2048 RES=0x00 SYN URGP=0 ip_conntrack_tcp: INVALID: Out of window data; SEQ is under the lower bound (retransmitted already ACKed data) 
04:16:49 kernel SRC=195.33.98.115 DST=205.210.52.208 LEN=64 TOS=0x00 PREC=0x00 TTL=37 ID=2 PROTO=TCP SPT=57380 DPT=53 SEQ=2911162149 ACK=4054392719 WINDOW=2048 RES=0x00 SYN URGP=0 ip_conntrack_tcp: INVALID: Out of window data; SEQ is under the lower bound (retransmitted already ACKed data) 
04:16:50 kernel SRC=195.33.98.115 DST=205.210.52.208 LEN=64 TOS=0x00 PREC=0x00 TTL=37 ID=3 PROTO=TCP SPT=57382 DPT=53 SEQ=2104223658 ACK=1098213046 WINDOW=2048 RES=0x00 SYN URGP=0 ip_conntrack_tcp: INVALID: Out of window data; SEQ is under the lower bound (retransmitted already ACKed data) 

It seems to me that these are just regular run-of-the-mill initial SYN
packets (i.e. packet one of the TCP three-way handshake) for TCP DNS
queries of my name server (even though I don't have one -- from the
number of both UDP and TCP DNS queries I am getting, the previous
owner of my IP address must have a name server running).

Why would these be flagged as "Out of window data" packets when in
reality they are just a simple violation of the rules I have
installed?  Doesn't there have to be an established TCP session in
order to determine if there is any "Out of window data"?

b.

-- 
Brian J. Murrell