|
Hello, My firewall is blocking NEW Packets which haven’t the SYN flag
Active on the FORWARD chain, with the following rule: $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "FW -NEW-WITHOUT-SYN-" $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP Although
I am watching a lot of these Logs on the firewall with origin on one of my
servers (Which id DNATed): Jan 28 If
I stop the HTTP server, this packets stop. Notice that the The
Desktops (work places running windows) also originate some of these packets,
with a different SPT….Why? I
have another question. My servers are DNATed, and all outgoing traffic is
SNATed. This way, all the traffic whose destiny is one of the DNATed servers will
go through the FORWARD chain. Although in my case I am also doing IP Aliasing
on the firewall, ié, the firewall answers for a few Public IP addresses. These
packets are also traversing my FORWARD chain. Can any one tell me if the
Aliasing changes any thing on the firewall behavior? The
Packet arrives to the machine with one of the aliased IPs, enters on the
firewall, DNAT is executed and the packet is sent to the FORWARD chain, is this
true? The fact of having a packet arriving with an aliased IP or not has any
influence? Any
help would be welcome. Thanks
in advance, Victor
Batista |
