From: "Björn Schmidt" <bj-schmidt@uni-paderborn.de>
To: netfilter@lists.netfilter.org
Subject: Re: state: INVALID
Date: Sun, 21 Nov 2004 00:18:21 +0100 [thread overview]
Message-ID: <419FD0BD.6000906@uni-paderborn.de> (raw)
In-Reply-To: <1100990773.3501.9.camel@hubcap.ljm.dom>
Jason Opperisano wrote:
>>the ulogd logfile of my server shows many "INVALID state" packets. What could
>>be the reason for that?
>
> my guess would be because you have a log rule that logs on "-m state
> --state INVALID"
Yes, of course. ;)
>>The server has one cardbus nic (eth0), one dsl-interface (ppp0) and, of course
>>lo. The client has only eth0 and lo. The kernel version of both computers is
>>2.6.10-rc2
>>
>>syslogemu.log:Nov 19 20:31:52 kilobyte INPUT_INVALID IN=eth0 OUT=
>>MAC=00:d0:b7:01:ce:2a:00:04:e2:7f:90:41:08:00 SRC=192.168.0.2 DST=192.168.0.1
>>LEN=52 TOS=00 PREC=0x00 TTL=64 ID=1680 DF PROTO=TCP SPT=32899 DPT=3130
>>SEQ=4260699581 ACK=510793293 WINDOW=5080 ACK FIN URGP=0
>
> this is a FIN-ACK packet from the client to the server for an ICP
> session.
Ooops, i picked exactly the entries from the log which are _really_ invalid.
Sorry for that (it was to late at night...).
Here is a(n older) packet that is _falsely_ classified as INVALID (should be
ESTABLISHED). I changed the IP-adress and hostname in the meantime:
Oct 29 13:51:05 skyron ILLEGAL_PACKET IN= OUT=eth0 MAC= SRC=192.168.1.1
DST=192.168.1.2 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22
DPT=33085 SEQ=1048000056 ACK=1050690244 WINDOW=5792 ACK SYN URGP=0
Besides I forgot to mention that i only get "false INVALID" states with
activated IPsec (esp in transport mode, kernel 2.6). With IPsec _AND_ iptables
it es NOT possible to establish a new tcp connection due to these "INVALID
state packets".
There is also a (german) thread at debian-users-german where we tried to solve
this problem, without success:
http://lists.debian.org/debian-user-german/2004/10/msg02735.html
> the definition of an INVALID packet is simply a packet that is neither
> ESTABLISHED nor RELATED. depending on the specific communication in
> question and the timeout values on the firewall for the CLOSE-WAIT
> state--you can see a *ton* of FIN-ACK packets that will be considered
> "invalid" as they arrive after the firewall has removed the connection
> in question from conntrack. port-unreachables should normally match as
> "related," but there could have been something funny going on.
--
Greetings
Bjoern Schmidt
next prev parent reply other threads:[~2004-11-20 23:18 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-19 22:37 state: INVALID Björn Schmidt
2004-11-20 22:46 ` Jason Opperisano
2004-11-20 23:18 ` Björn Schmidt [this message]
2004-11-21 18:25 ` Jason Opperisano
2004-11-21 22:46 ` Björn Schmidt
2004-11-22 13:45 ` Jason Opperisano
[not found] ` <41A2010A.9090601@uni-paderborn.de>
2004-11-22 17:54 ` Jason Opperisano
[not found] ` <41A23EE6.4080804@uni-paderborn.de>
2004-11-22 21:39 ` Jason Opperisano
[not found] ` <41A3007B.7090009@uni-paderborn.de>
2004-11-23 9:31 ` Jason Opperisano
2004-11-23 14:05 ` Jason Opperisano
[not found] ` <41A3AFC4.4030109@uni-paderborn.de>
2004-11-24 13:07 ` Björn Schmidt
[not found] ` <419FD149.50308@uni-paderborn.de>
2004-11-20 23:33 ` Björn Schmidt
2004-11-23 9:37 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=419FD0BD.6000906@uni-paderborn.de \
--to=bj-schmidt@uni-paderborn.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox