Re: lots of ACK/FIN filtering (DPT=80) at web server.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Op donderdag 29 mei 2003 07:25, schreef Ray Leach:
> Hi there
>
> On Wed, 2003-05-28 at 10:46, SB CH wrote:
> > Hello, all.
> >
> > I have operated linux web server and executed iptables 1.2.8.
> >
> > and I have found so lots of logs like this ACK,FIN filtering.
> > Surely, ACK-FIN is a connection closing step, so there is no problem for
> > customers but I would like to know why this happens!!
> > I guess that the timeout of the connection tracking related.
>
> Those are 'broken' browsers that do not follow the http standard
> properly.
>
> > May 25 12:33:05 www kernel: IN=eth0 OUT= SRC=210.126.xxx.xx
> > DST=211.10.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=118 ID=3376 DF PROTO=TCP
> > SPT=3608 DPT=80 WINDOW=63520 RES=0x00 ACK FIN URGP=0
> >
> > Do you have any problems like me?
>
> Yes
>
> > and what's the problem and how can I solve this problem?
>
> Stop using non-standards complient browsers. Sometimes changes to
> standards are not 'enhancements'.
>
> > Thanks in advance for your kind opinios!!
> >
> > _________________________________________________________________
> > íìíì. ìëì ìì ëë ìì, êí, ìë, ìì êìë
> > http://www.msn.co.kr/fortune/default.asp

This is correct , mostly this happens when you have the rule like this:
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
and you have a workstation inside your network , you browse with.
The most logging wil be done if you run a Windows-client      :-)

BUT you run a webserver,  and in your log-file says IN=eth0 and not OUT=eth0.

I run a webserver in Holland also , and it may happens sometimes ,that someone 
keeps the website open , but does nothing. So a connection_time_out 
acurse,and the ACK,FIN will be dropped, when the client closes the browser or 
page.

But NO heavy logging of that may happen.

So  I asume there is something else...

maybe a faulty rule ? like this ?:

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

send us your ruleset . If you only run a public-webserver (and ftp or ssh ) 
you don't need a heavy ruleset. ( keep it plain and simple)

Pascal
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux