From: "P.Srihari" <srihari.par@wipro.com>
To: netfilter@lists.netfilter.org
Subject: packet matching problem
Date: Mon, 12 May 2003 19:59:11 +0530 [thread overview]
Message-ID: <3EBFAFB7.3D78BFDE@wipro.com> (raw)
hi,
i am facing what i think is a peculiar problem. i have a set of rules as
follows
iptables -I FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit
1/s --limit-burst 1024 -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN -j LOG
--log-prefix "SYN ATTACK"
iptables -A FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN -j DROP
iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j
ACCEPT
now i started an FTP session from the host to an FTP server. in this
session, i turn off the prompt and do an mget * ( multiple files ).
the files are in order of about 4 MB or so. as soon as the first file
is completed, it prints the message SYN ATTACK - with the SRC port as
ftp-data port (20) - no other traffic is coming into the firewall host.
TCPDUMP on the firewall machine shows that about 8 or 9 SYN packets
having been received by the firewall host.
now in the netfilter framework in 2.4.5 kernel, i found the following
a. for some strange reason, the packet-matching code in the kernel
for limit is being invoked for even non-SYN packets and as the traffic
to ftp data port flows into firewall, the credit associated with the
entry for 1st rule in the above mentioned rule is getting reduced and
finally the SYN attack is printed.
i am not saying that there is a bug in the netfilter code, but there
could be something wrong in the rules that i have framed.
the above observations are accurate as i have done the test quite a
few times.
the iptables version that i am using is 1.2.6a
can anyone suggest some solution
thanks
srihari
**************************Disclaimer************************************
Information contained in this E-MAIL being proprietary to Wipro Limited is
'privileged' and 'confidential' and intended for use only by the individual
or entity to which it is addressed. You are notified that any use, copying
or dissemination of the information contained in the E-MAIL in any manner
whatsoever is strictly prohibited.
***************************************************************************
next reply other threads:[~2003-05-12 14:29 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-05-12 14:29 P.Srihari [this message]
2003-05-12 15:42 ` packet matching problem narendra prabhu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3EBFAFB7.3D78BFDE@wipro.com \
--to=srihari.par@wipro.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox