Several times now, I have seen a lot of entries in syslog which
seem to be associated with browsing a particular site, but for
some reason get dropped as "not-new". For example, when
browsing the thinkgeek site, messages like this appear maybe
50 times, with slightly different destination port numbers:
Dec 29 06:39:45 IPTABLES NOT-NEW-IN: SRC=66.35.250.160 \
LEN=48 TTL=45 ID=0 DF PROTO=TCP SPT=80 DPT=4785 \
WINDOW=5840 RES=0x00 ACK SYN URGP=0
Always from port 80 on the remote machine, but the source
address is a site I'm accessing. What's causing this, should
I be concerned, and can/should I fix it? The rules that produce
this is (in iptables-restore format):
-A INPUT -p tcp -m tcp --tcp-flags ! SYN,RST,ACK SYN \
-m state --state NEW -j LOG --log-prefix "IPTABLES NOT-NEW-IN: "
-A INPUT -p tcp -m tcp --tcp-flags ! SYN,RST,ACK SYN \
-m state --state NEW -j DROP
If I already have a session open with the remote site, why are
these not being associated? Any help will be appreciated.
Thanks,
Andy Johnson
