El lun, 31 de 01 de 2005 a las 14:29, Kevin Van Workum escribiÃ: > I'm learning about iptables and am working through the example scripts > in Oskar Andreasson's Iptables Tutorial 1.1.19. So I have the following > rules: > > iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG > --log-prefix "New not syn:" > iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP > > My understanding of this rule is that all NEW tcp packets should by SYN > also. So if they are not NEW and SYN, then we should log them and drop > them. I guess Andreasson wants to log them because they may indicate a > problem of some sort. So in my log file, I get this: > > Jan 30 20:09:27 server kernel: New not syn:IN= OUT=lo SRC=10.0.0.100 > DST=10.0.0.100 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=7678 DF PROTO=TCP > SPT=34928 DPT=143 WINDOW=32767 RES=0x00 ACK PSH FIN URGP=0 > > So what's the problem with these packets? It looks like some client is > contacting the imapd (which is running on my firewall) with some bad tcp > packets? NEW without SYN packets can occur but they are very uncommon, the rule proposed it's correct in the 99% of the systems, but if you have a program or daemon that doesn't make the SYN/ACK-SYN/ACK correctly then you maybe have to allow this packets. Another situation when you could have this kind of packets is when you have two firewalls in high availability and one of them have a failover, then the packets are seen as NEW by the conntrack system but they doesn't have the SYN. Regards. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@xxxxxxxxx bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÃA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
