From: Gioele Barabucci <dev@gioelebarabucci.com>
To: netfilter@lists.netfilter.org
Subject: Re: Aren't these connections ESTABILISHED? (2nd take)
Date: Sun, 02 Oct 2005 20:11:56 +0200 [thread overview]
Message-ID: <dhp7tp$849$1@sea.gmane.org> (raw)
In-Reply-To: 200510011907.27026.rob0@gmx.co.uk
/dev/rob0 wrote:
> On Saturday 2005-October-01 14:12, Gioele Barabucci wrote:
>> I spend the last weeks doing experiments with iptables but still I
>> have problems with connections that should be ESTABILISHED but are
>
> You have it spelled correctly in the script, but perhaps you should
> check again. ESTABLISHED != ESTABILISHED. I am not sure if iptables
> would complain about that or not, but it's always safest to spell
> things correctly. :)
Couldn't english borrow more from Saxons and less from Latins. There are so
many spell-alike words in italian and english :(
I'll tell you a secret: I got it wrong the first time I wrote the script :)
>> a bit, iptables forget that the connection is ESTABILISHED and DROPs
>> the reply.
> When that happens you might want to check the conntrack table. Perhaps
> even script something to run from -j ULOG when a packet is dropped.
Can I dump the packet in a file?
> Is anything not working? I have a feeling these are just occasional
> strays that ip_conntrack isn't catching for some reason.
Sometimes the SPF policy daemon that waits for the DNS dies. But... couldn't
this be the the cause and not the effect?
If an application start up a query and dies before the server replies, would
I see packets like the ones I see in my log?
>> Here is my ruleset (BTW, I did not test much the "limit SMTP trafic",
>> do you think that it is correct?)
>> echo "Limit smtp traffic"
> If the problem is dictionary attacks be advised that this might
> not help at all. The attacker could be attempting as many as
> smtpd_recipient_limit (default 1000) usernames in a single session.
It is to make Postfix handle few messages at a time. I removed these rules,
I'll think something better later.
> Also, I'm not sure it would do anything at all, because there cannot be
> that many --state NEW connections in such a short time. Conntrack would
> call those "RELATED". I think you should try --syn, not --state NEW.
I tried with netcat and the fifth connection was DROP'd. I'll investigate
about the differences between --syn and --state NEW. Thanks for the
corrections.
--
Gioele <dev@gioelebarabucci.com>
next prev parent reply other threads:[~2005-10-02 18:11 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-01 19:12 Aren't these connections ESTABILISHED? (2nd take) Gioele Barabucci
2005-10-02 0:07 ` /dev/rob0
2005-10-02 2:16 ` Henrik Nordstrom
2005-10-02 4:48 ` Robert Nichols
2005-10-02 10:18 ` Henrik Nordstrom
2005-10-02 13:38 ` Jozsef Kadlecsik
2005-10-02 14:44 ` Henrik Nordstrom
2005-10-02 20:23 ` Jozsef Kadlecsik
2005-10-02 21:08 ` Jozsef Kadlecsik
2005-10-03 8:30 ` Henrik Nordstrom
2005-10-03 8:24 ` Henrik Nordstrom
2005-10-02 19:16 ` /dev/rob0
2005-10-02 20:38 ` Jozsef Kadlecsik
2005-10-02 21:13 ` /dev/rob0
2005-10-03 11:48 ` Henrik Nordstrom
2005-10-03 11:44 ` Henrik Nordstrom
2005-10-04 13:19 ` Jozsef Kadlecsik
2005-10-02 18:11 ` Gioele Barabucci [this message]
2005-10-02 2:02 ` Henrik Nordstrom
2005-10-02 17:45 ` Gioele Barabucci
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='dhp7tp$849$1@sea.gmane.org' \
--to=dev@gioelebarabucci.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.