On Tue, 2005-08-09 at 11:21, John Lange wrote: > > I get quite a number of packets dropped as follows; This is packet from > my web server to a given host: > > Aug 8 01:20:12 venus kernel: IN= OUT=eth0 SRC=<myServerIP> > DST=<someHost> LEN=471 TOS=0x00 PREC=0x00 TTL=64 ID=13332 DF PROTO=TCP > SPT=80 DPT=10067 WINDOW=1716 RES=0x00 ACK PSH FIN URGP=0 <snip> > So what is a packet with "ACK PSH FIN" set? I assume they are being > blocked because they are neither "SYN" nor part of an established > connection? But what are they and should they be allowed? Here's what's happening: TCP 3 packet handshake takes place Client issues a data request Client issues a FIN/ACK since its done transmitting info Netfilter drops the state time out to 60 seconds Server starts transmitting data back to the client More than 60 seconds goes by Netfilter removes the state entry Server can never complete the data transfer and continually tries to issue a FIN/ACK to close the connection Netfilter drops all FIN/ACK's because the state table entry is gone I reported this problem back in 2000 and the time out was increased to 120 seconds. At some point a few years back the time out was dropped back down again causing the problem you are seeing. So its not a malicious packet, just a bug/feature in the code. HTH, Chris
