On Fri, 2004-11-19 at 17:37, BjÃrn Schmidt wrote: > Hi, > > the ulogd logfile of my server shows many "INVALID state" packets. What could > be the reason for that? my guess would be because you have a log rule that logs on "-m state --state INVALID" > The server has one cardbus nic (eth0), one dsl-interface (ppp0) and, of course > lo. The client has only eth0 and lo. The kernel version of both computers is > 2.6.10-rc2 > > syslogemu.log:Nov 19 20:31:52 kilobyte INPUT_INVALID IN=eth0 OUT= > MAC=00:d0:b7:01:ce:2a:00:04:e2:7f:90:41:08:00 SRC=192.168.0.2 DST=192.168.0.1 > LEN=52 TOS=00 PREC=0x00 TTL=64 ID=1680 DF PROTO=TCP SPT=32899 DPT=3130 > SEQ=4260699581 ACK=510793293 WINDOW=5080 ACK FIN URGP=0 this is a FIN-ACK packet from the client to the server for an ICP session. > syslogemu.log:Nov 19 20:31:52 kilobyte OUTPUT_INVALID IN= OUT=eth0 MAC= > SRC=192.168.0.1 DST=192.168.0.2 LEN=80 TOS=00 PREC=0x00 TTL=255 ID=29481 > PROTO=ICMP TYPE=3 CODE=3 this is an ICMP Port Unreachable from 192.168.0.1 to 192.168.0.2 > syslogemu.log:Nov 19 20:31:52 kilobyte INPUT_INVALID IN=eth0 OUT= > MAC=00:d0:b7:01:ce:2a:00:04:e2:7f:90:41:08:00 SRC=192.168.0.2 DST=192.168.0.1 > LEN=52 TOS=00 PREC=0x00 TTL=64 ID=13326 DF PROTO=TCP SPT=32845 DPT=993 > SEQ=3094163529 ACK=3641510831 WINDOW=2908 ACK FIN URGP=0 this is a FIN-ACK packet from the client to the server for an IMAP/SSL session. the definition of an INVALID packet is simply a packet that is neither ESTABLISHED nor RELATED. depending on the specific communication in question and the timeout values on the firewall for the CLOSE-WAIT state--you can see a *ton* of FIN-ACK packets that will be considered "invalid" as they arrive after the firewall has removed the connection in question from conntrack. port-unreachables should normally match as "related," but there could have been something funny going on. -j -- "No jury in the world is going to convict a baby ... Maybe Texas." --The Simpsons
