Re: -m state question - Taylor, Grant

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: Jason Sigurdur <jason.sigurdur@ASPENVIEW.ORG>
Cc: "'netfilter@lists.netfilter.org'" <netfilter@lists.netfilter.org>
Subject: Re: -m state question
Date: Wed, 13 Apr 2005 09:54:54 -0500	[thread overview]
Message-ID: <425D32BE.6020807@riverviewtech.net> (raw)
In-Reply-To: <08D2636915B90D4FADE116B548E5A516D6C4D4@s142-179-184-97.ab.hsia.telus.net>

> Hi with the below rules I keep seeing (intermittently) packets that are
> dropped in the 'FORWARD_' chain such as
> 
> FORWARD_DROPPED: IN=eth1 OUT=eth0 SRC=172.16.x.x DST=209.204.233.88 LEN=40
> TOS=0x00 PREC=0x00 TTL=127 ID=53086 DF PROTO=TCP SPT=1595 DPT=80 WINDOW=0
> RES=0x00 RST URGP=0

If I am reading this output correctly this looks like it is a reset packet.  It would depend on if this packet is in response to errant packets inbound to one of your systems or if you have a system that is erroneously sending this.  If the later is the case this packet is not considered ESTABLISHED or RELATED and as it is not trying to synchronize a new connection it is not considered NEW either.  I would need to see more traffic dumps from shortly before and after (5 - 10 min) this packet to see if it is associated with any other on going connection.  I'm not seeing any indication that the ACK flag was set in this packet thus indicating to me that this packet is in response to another packet that came in bound to it, but I'm not sure that the LOG target would show the ACK flag or not, though I would expect it to.  Can you get a TCPDump / Etherial output of this traffic and post it to t
 he list?  (Scrub IPs if you need to.  Make a.b.c.d be your client systems and w.x.y.z be 
the destination system on the INet)

> Should'nt  the 3rd FORWARD_ rule allow any new forwarding entries in from
> any where except eth0?

No, not if the connection is erroneous.

Grant. . . .

     prev parent reply	other threads:[~2005-04-13 14:54 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-04-12 15:35 -m state question Jason Sigurdur
2005-04-13 14:54 ` Taylor, Grant [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=425D32BE.6020807@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=jason.sigurdur@ASPENVIEW.ORG \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.