On Friday 11 October 2002 15:03, Antony Stone wrote: > Depending on what else you're logging, 15% of your log entries could be a > lot of packets, could be only a few.... It's thousands of them ;-) (And the timeframe was only a day or so...) > I'd expect the reason might be a system sending two RST packets (I believe > this is quite common, but I haven't done any specific network sniffing to > check it out). The first one takes down the connection so it is no longer > ESTABLISHED, the second one gets logged because it doesn't correspond to an > established connection... Hmm, besides the obvious questions *why* the second RST is sent and why conntrack doesn't have provisions for ignoring subsequent RSTs for a short amount of time the reasoning itself makes sense. > Maybe you could try putting a LOG rule to catch *all* RSTs at the beginning > of your rules (before even the ESTABLISHED, RELATED rule) and see if this > shows they are coming along in pairs ? Good idea. I'm not going to modify the firewall so close before the weekend, but will do so next monday. Thanks for the tip and I'll let you know about the results! -- Martijn