On Thursday 05 December 2002 04:38 am, Philipp (mailinglists@belfin.ch) wrote: > Hi > > I have a rule saying this: > > iptables -A INPUT -p 6 ! --syn -m state --state NEW -j LOG --log-level > warn --log-prefix "### NOT-SYN ### " > iptables -A INPUT -p 6 ! --syn -m state --state NEW -j DROP > > and I've got Logs that look like that: > > Dec 4 17:28:07 rproxy2 kernel: ### NOT-SYN ### IN=eth1 OUT= > MAC=00:a0:24:6a:d0:56:00:10:db:1e:20:70:08:00 SRC=194.112.179.45 > DST=192.168.1.6 > LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=2979 DF PROTO=TCP SPT=60351 DPT=80 > WINDOW=5840 RES=0x00 ACK FIN URGP=0 > > Also I've got a snort box running in my ISPs subnet. Snort would have > picked it up if this was a scan. > Does iptables 1.2.5 have a problem with FIN-ACK packets? No, but if they are the first traffic it recognizes in a connection (IE, state=NEW) and they are NOT SYN your rule will log them. This does not always mean that no connection was previously made, it can occur if the connection has timed-out, or if the connection is refused. j
