lots of ACK/FIN filtering (DPT=80) at web server.

lots of ACK/FIN filtering (DPT=80) at web server.

[SB CH]

Hello, all.

I have operated linux web server and executed iptables 1.2.8.

and I have found so lots of logs like this ACK,FIN filtering.
Surely, ACK-FIN is a connection closing step, so there is no problem for 
customers but I would like to know why this happens!!
I guess that the timeout of the connection tracking related.


May 25 12:33:05 www kernel: IN=eth0 OUT= SRC=210.126.xxx.xx 
DST=211.10.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=118 ID=3376 DF PROTO=TCP 
SPT=3608 DPT=80 WINDOW=63520 RES=0x00 ACK FIN URGP=0

Do you have any problems like me?
and what's the problem and how can I solve this problem?


Thanks in advance for your kind opinios!!

_________________________________________________________________
확인하자. 오늘의 운세 무료 사주, 궁합, 작명, 전생 가이드   
http://www.msn.co.kr/fortune/default.asp  

Re: lots of ACK/FIN filtering (DPT=80) at web server.

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 1417 bytes --]

Hi there

On Wed, 2003-05-28 at 10:46, SB CH wrote:
> Hello, all.
> 
> I have operated linux web server and executed iptables 1.2.8.
> 
> and I have found so lots of logs like this ACK,FIN filtering.
> Surely, ACK-FIN is a connection closing step, so there is no problem for 
> customers but I would like to know why this happens!!
> I guess that the timeout of the connection tracking related.
> 
Those are 'broken' browsers that do not follow the http standard
properly.
> 
> May 25 12:33:05 www kernel: IN=eth0 OUT= SRC=210.126.xxx.xx 
> DST=211.10.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=118 ID=3376 DF PROTO=TCP 
> SPT=3608 DPT=80 WINDOW=63520 RES=0x00 ACK FIN URGP=0
> 
> Do you have any problems like me?
Yes

> and what's the problem and how can I solve this problem?
> 
Stop using non-standards complient browsers. Sometimes changes to
standards are not 'enhancements'.

> 
> Thanks in advance for your kind opinios!!
> 
> _________________________________________________________________
> 확인하자. 오늘의 운세 무료 사주, 궁합, 작명, 전생 가이드   
> http://www.msn.co.kr/fortune/default.asp  
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: lots of ACK/FIN filtering (DPT=80) at web server.

[SB CH]

Thanks for your kind reply.

>Those are 'broken' browsers that do not follow the http standard
>properly.
which browers? Netscape or Opera? mostly use MSIE, right?


>Stop using non-standards complient browsers. Sometimes changes to
>standards are not 'enhancements'.
There are so lots of people which use different browser, 
then you mean that there is not any solution to solve this problem at 
iptables level?

 
Thanks for your reply.



From: Ray Leach <raymondl@knowledgefactory.co.za>
To: Netfilter Mailing List <netfilter@lists.netfilter.org>
Subject: Re: lots of ACK/FIN filtering (DPT=80) at web server.
Date: 29 May 2003 07:25:38 +0200

Hi there

On Wed, 2003-05-28 at 10:46, SB CH wrote:
 > Hello, all.
 >
 > I have operated linux web server and executed iptables 1.2.8.
 >
 > and I have found so lots of logs like this ACK,FIN filtering.
 > Surely, ACK-FIN is a connection closing step, so there is no problem for
 > customers but I would like to know why this happens!!
 > I guess that the timeout of the connection tracking related.
 >
Those are 'broken' browsers that do not follow the http standard
properly.
 >
 > May 25 12:33:05 www kernel: IN=eth0 OUT= SRC=210.126.xxx.xx
 > DST=211.10.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=118 ID=3376 DF PROTO=TCP
 > SPT=3608 DPT=80 WINDOW=63520 RES=0x00 ACK FIN URGP=0
 >
 > Do you have any problems like me?
Yes

 > and what's the problem and how can I solve this problem?
 >
Stop using non-standards complient browsers. Sometimes changes to
standards are not 'enhancements'.

 >
 > Thanks in advance for your kind opinios!!
 >
 > _________________________________________________________________
 > ?ïÏù∏?òÏûê. ?§Îäò???¥ÏÑ∏ Ψ¥Î£å ?¨Ï£º, Í∂ÅÌï©, ?ëΙÖ, ?ÑÏÉù Í∞Ä?¥Îìú
 > http://www.msn.co.kr/fortune/default.asp
--
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--
<< signature.asc >>

_________________________________________________________________
¡ı±« ¡§∫∏ ∞°¿Â ∫¸∏£∞Ì ∆Ì«œ∞‘ ∫∏Ω« ºˆ ¿÷Ω¿¥œ¥Ÿ. MSN ¡ı±«/≈ı¿⁄   
http://www.msn.co.kr/stock/  

Re: lots of ACK/FIN filtering (DPT=80) at web server.

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 2777 bytes --]

On Thu, 2003-05-29 at 11:17, SB CH wrote:
> Thanks for your kind reply.
> 
> >Those are 'broken' browsers that do not follow the http standard
> >properly.
> which browers? Netscape or Opera? mostly use MSIE, right?
> 
Just IE I think ...

> 
> >Stop using non-standards complient browsers. Sometimes changes to
> >standards are not 'enhancements'.
> There are so lots of people which use different browser, 
> then you mean that there is not any solution to solve this problem at 
> iptables level?
> 
Sure, just ACCEPT the ACK-FIN packets.

>  
> Thanks for your reply.
> 
> 
> 
> From: Ray Leach <raymondl@knowledgefactory.co.za>
> To: Netfilter Mailing List <netfilter@lists.netfilter.org>
> Subject: Re: lots of ACK/FIN filtering (DPT=80) at web server.
> Date: 29 May 2003 07:25:38 +0200
> 
> Hi there
> 
> On Wed, 2003-05-28 at 10:46, SB CH wrote:
>  > Hello, all.
>  >
>  > I have operated linux web server and executed iptables 1.2.8.
>  >
>  > and I have found so lots of logs like this ACK,FIN filtering.
>  > Surely, ACK-FIN is a connection closing step, so there is no problem for
>  > customers but I would like to know why this happens!!
>  > I guess that the timeout of the connection tracking related.
>  >
> Those are 'broken' browsers that do not follow the http standard
> properly.
>  >
>  > May 25 12:33:05 www kernel: IN=eth0 OUT= SRC=210.126.xxx.xx
>  > DST=211.10.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=118 ID=3376 DF PROTO=TCP
>  > SPT=3608 DPT=80 WINDOW=63520 RES=0x00 ACK FIN URGP=0
>  >
>  > Do you have any problems like me?
> Yes
> 
>  > and what's the problem and how can I solve this problem?
>  >
> Stop using non-standards complient browsers. Sometimes changes to
> standards are not 'enhancements'.
> 
>  >
>  > Thanks in advance for your kind opinios!!
>  >
>  > _________________________________________________________________
>  > ?•ì¸?˜ìž. ?¤ëŠ˜???´ì„¸ 무료 ?¬ì£¼, 궁합, ?‘명, ?„생 ê°€?´ë“œ
>  > http://www.msn.co.kr/fortune/default.asp
> --
> --
> Raymond Leach <raymondl@knowledgefactory.co.za>
> Network Support Specialist
> http://www.knowledgefactory.co.za
> "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
> Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
> --
> << signature.asc >>
> 
> _________________________________________________________________
> Áõ±Ç Á¤º¸ °¡Àå ºü¸£°í ÆíÇÏ°Ô º¸½Ç ¼ö ÀÖ½À´Ï´Ù. MSN Áõ±Ç/ÅõÀÚ   
> http://www.msn.co.kr/stock/  
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: lots of ACK/FIN filtering (DPT=80) at web server.

[Pascal Italiaander]

Op donderdag 29 mei 2003 07:25, schreef Ray Leach:
> Hi there
>
> On Wed, 2003-05-28 at 10:46, SB CH wrote:
> > Hello, all.
> >
> > I have operated linux web server and executed iptables 1.2.8.
> >
> > and I have found so lots of logs like this ACK,FIN filtering.
> > Surely, ACK-FIN is a connection closing step, so there is no problem for
> > customers but I would like to know why this happens!!
> > I guess that the timeout of the connection tracking related.
>
> Those are 'broken' browsers that do not follow the http standard
> properly.
>
> > May 25 12:33:05 www kernel: IN=eth0 OUT= SRC=210.126.xxx.xx
> > DST=211.10.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=118 ID=3376 DF PROTO=TCP
> > SPT=3608 DPT=80 WINDOW=63520 RES=0x00 ACK FIN URGP=0
> >
> > Do you have any problems like me?
>
> Yes
>
> > and what's the problem and how can I solve this problem?
>
> Stop using non-standards complient browsers. Sometimes changes to
> standards are not 'enhancements'.
>
> > Thanks in advance for your kind opinios!!
> >
> > _________________________________________________________________
> > 확인하자. 오늘의 운세 무료 사주, 궁합, 작명, 전생 가이드
> > http://www.msn.co.kr/fortune/default.asp

This is correct , mostly this happens when you have the rule like this:
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
and you have a workstation inside your network , you browse with.
The most logging wil be done if you run a Windows-client      :-)

BUT you run a webserver,  and in your log-file says IN=eth0 and not OUT=eth0.

I run a webserver in Holland also , and it may happens sometimes ,that someone 
keeps the website open , but does nothing. So a connection_time_out 
acurse,and the ACK,FIN will be dropped, when the client closes the browser or 
page.

But NO heavy logging of that may happen.

So  I asume there is something else...

maybe a faulty rule ? like this ?:

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

send us your ruleset . If you only run a public-webserver (and ftp or ssh ) 
you don't need a heavy ruleset. ( keep it plain and simple)

Pascal