What does this mean?

What does this mean?

[Raymond Leach]

Hi

I see this in my firewall log:
Feb 27 16:51:19 firefly kernel: DROP FORWARD INTERNAL: IN=eth2 OUT=eth0
SRC=10.0.0.67 DST=68.84.228.144 LEN=60 TOS=0x00 PREC=0x00 TTL=63
ID=64368 DF PROTO=TCP SPT=54767 DPT=0 WINDOW=5840 RES=0x00 CWR ECE SYN
URGP=0

What is DPT=0? I've never heard of using port 0 ...

What is CWR ECE SYN? Are they TCP flags? If so, what is CWR ECE ?

Ray

-- 

Re: What does this mean?

[Maciej Soltysiak]

> I see this in my firewall log:
> Feb 27 16:51:19 firefly kernel: DROP FORWARD INTERNAL: IN=eth2 OUT=eth0
> SRC=10.0.0.67 DST=68.84.228.144 LEN=60 TOS=0x00 PREC=0x00 TTL=63
> ID=64368 DF PROTO=TCP SPT=54767 DPT=0 WINDOW=5840 RES=0x00 CWR ECE SYN
> URGP=0
>
> What is DPT=0? I've never heard of using port 0 ...
No services there, this packet is certainly invalid. Some OS's respond to
them with tcp rst, some just drop them.

> What is CWR ECE SYN? Are they TCP flags? If so, what is CWR ECE ?
Yes they are TCP flags, CWR & ECE are ECN extensions to the TCP header.
Read RFC 3168.

Note, some routers outthere are not ECN aware and violate RFC 3168 by
dropping these packets. This causes interoperability problems, which
should be resolved by vendors.

> Ray
Maciej

Re: What does this mean?

[Alexander W. Janssen]

[-- Attachment #1: Type: text/plain, Size: 791 bytes --]

On Thu, Feb 27, 2003 at 04:48:30PM +0100, Maciej Soltysiak wrote:
> Note, some routers outthere are not ECN aware and violate RFC 3168 by
> dropping these packets. This causes interoperability problems, which
> should be resolved by vendors.

At http://urchin.earth.li/cgi-bin/ecn.pl?output=ip is a list with routers with
are known to violate ECN. There is even a perl-script around wich uses the
--remove-ecn feature of the ECN target to create rules based on that list of
IP-addresses. Quite nice, since it sorts out the problem locally - but not in
a global sense. Call it self-defense.
 
> > Ray
> Maciej
Alex

-- 
"Mr Data, when I said 'Fire at Will', I didn't mean for you to be so literal."
Instructions for use of this post: Insert tounge in cheek. Read as normal.

[-- Attachment #2: Type: application/pgp-signature, Size: 248 bytes --]

What does this mean ?

[Frederic Gobin]

Hi there everybody,

I have one question :

	Each time I look into my firewall logs, I see many dropped packets 
that match this pattern :

	Protocol 		: TCP
	Source port	: 80
	Dest port		: 1024-65535
	Flags		: ACK FIN

Where are those packets comming from ?

Thanks for reading and Thanks for each answer I get ...

Frederic Gobin

Re: What does this mean ?

[Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 1337 bytes --]

That would be IE clients browsing the web. IE is the only browser I've
found that does this.

On Wed, 2003-03-19 at 11:51, Frederic Gobin wrote:
> Hi there everybody,
> 
> I have one question :
> 
> 	Each time I look into my firewall logs, I see many dropped packets 
> that match this pattern :
> 
> 	Protocol 		: TCP
> 	Source port	: 80
> 	Dest port		: 1024-65535
> 	Flags		: ACK FIN
> 
> Where are those packets comming from ?
> 
> Thanks for reading and Thanks for each answer I get ...
> 
> Frederic Gobin
-- 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(  Raymond Leach                       )
 ) Knowledge Factory                  (
(                                      )
 ) Tel: +27 11 445 8100               (
(  Fax: +27 11 445 8101                )
 )                                    (
(  http://www.knowledgefactory.co.za/  )
 ) http://www.saptg.co.za/            (
(  http://www.mapnet.co.za/            )
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   o                                o
    o                              o
        .--.                  .--.
       | o_o|                |o_o |
       | \_:|                |:_/ |
      / /   \\              //   \ \
     ( |     |)            (|     | )
     /`\_   _/'\          /'\_   _/`\
     \___)=(___/          \___)=(___/


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: What does this mean ?

[Frederic Gobin]

So I can add a rule to drop thos packets without having any problems ?
(That could clear the logs a bit ;-))

Frederic Gobin

Am Mittwoch, 19.03.03 um 12:05 Uhr schrieb Raymond Leach:

> That would be IE clients browsing the web. IE is the only browser I've
> found that does this.
>
> On Wed, 2003-03-19 at 11:51, Frederic Gobin wrote:
>> Hi there everybody,
>>
>> I have one question :
>>
>> 	Each time I look into my firewall logs, I see many dropped packets
>> that match this pattern :
>>
>> 	Protocol 		: TCP
>> 	Source port	: 80
>> 	Dest port		: 1024-65535
>> 	Flags		: ACK FIN
>>
>> Where are those packets comming from ?
>>
>> Thanks for reading and Thanks for each answer I get ...
>>
>> Frederic Gobin
> -- 
>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> (  Raymond Leach                       )
>  ) Knowledge Factory                  (
> (                                      )
>  ) Tel: +27 11 445 8100               (
> (  Fax: +27 11 445 8101                )
>  )                                    (
> (  http://www.knowledgefactory.co.za/  )
>  ) http://www.saptg.co.za/            (
> (  http://www.mapnet.co.za/            )
>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>    o                                o
>     o                              o
>         .--.                  .--.
>        | o_o|                |o_o |
>        | \_:|                |:_/ |
>       / /   \\              //   \ \
>      ( |     |)            (|     | )
>      /`\_   _/'\          /'\_   _/`\
>      \___)=(___/          \___)=(___/
>
> <signature.asc>