I get quite a number of packets dropped as follows; This is packet from my web server to a given host: Aug 8 01:20:12 venus kernel: IN= OUT=eth0 SRC=<myServerIP> DST=<someHost> LEN=471 TOS=0x00 PREC=0x00 TTL=64 ID=13332 DF PROTO=TCP SPT=80 DPT=10067 WINDOW=1716 RES=0x00 ACK PSH FIN URGP=0 Here is an abbreviated version of the iptables ruleset which is in place: iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state NEW -p tcp --sport 80 -j ACCEPT iptables -A OUTPUT -p any -j LOG # Allow incoming data that is part of a connection we established iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # www server iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT iptables -A INPUT -p tcp --syn --dport 443 -j ACCEPT iptables -A INPUT -p any -j LOG So what is a packet with "ACK PSH FIN" set? I assume they are being blocked because they are neither "SYN" nor part of an established connection? But what are they and should they be allowed? -- John Lange
