Le mer 09/04/2003 à 14:31, Martijn Klingens a écrit : > > You can add RELATED state to this : > > iptables -A bad_tcp_packets -p tcp ! --syn -m state \ > > --state NEW,RELATED -j DROP > > That doesn't necessarily help though. Well, this is not intended to reduce the amount of packets getting blocked by this very rule. It was just to enforce the fast that a RELATED TCP packet should be a SYN one. > Our firewall also has a 'new, not syn' filter and it gets hit a LOT. On > average about 20% of all blocked packets. Another 20% are unexpected RSTs > (i.e. RST that's cannot be mapped to a RELATED or ESTABLISHED connection.) > It has been like this for quite some months, and everything works as expected > but we never found the cause of these new not syns and unexpected resets. On our plateform, our Netfilter boxes also block a large amount of such packets. Most of them are destined to web servers we're hosting. My analysis, mainly based on reverse OS fingerprinting, is that thoses packets are mainly generated by IE, which is known to break some TCP rules, beginning some connections with an ACK to speed things up, and sometimes seems to reuse to quickly client ports (and thus generates SYN packets with ESTABLISHED flag). See Martin Josefsson's post within "new tcp connections, without SYN" thread. So, well, we just have to cope with this situation... -- Cédric Blancher <blancher@xxxxxxxxxxxxxxxxxx> IT systems and networks security - Cartel Sécurité Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
