On Friday 11 October 2002 16:29, Martijn Klingens wrote: > On Friday 11 October 2002 15:03, Antony Stone wrote: > > Maybe you could try putting a LOG rule to catch *all* RSTs at the > > beginning of your rules (before even the ESTABLISHED, RELATED rule) and > > see if this shows they are coming along in pairs ? > > Good idea. I'm not going to modify the firewall so close before the > weekend, but will do so next monday. Thanks for the tip and I'll let you > know about the results! Just did some small tests, and unfortunately this idea seems to be incorrect. Each 'unexpected rst' has exactly *ONE* RST coming in, so it's not a duplicate entry being dropped, it's a unique entry. Also, the IP addresses causing unexpected RSTs are sending accepted RSTs later on in the firewall log with a slightly higher port number, so it looks like the senders are legitimate and not malicious users. Do you have any other ideas why the RSTs are not accepted by the conntrack code as 'related' ? -- Martijn
