On 11/4/05, Carlos Pastorino <carlos.pastorino@xxxxxxxxx> wrote: > Hi everyone, > > My question is targeted to understanding Netfilter, because I know > that the dropped packets are not impacting on the connection. > > My firewall is configured like this (showing only the important information): > > IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > IPTABLES -A FORWARD -p TCP -i $INET -o $LAN --syn --dport http -j ACCEPT > > and I've been noticing that packets with the ACK PSH flags set are > dropped during the connection. > > I know that it's not because of the connection tracking, since the > drops are occurring during the connection, not a long time after the > connection, so they are definitely ESTABLISHED packets. And since > ESTABLISHED packet should get through, I wonder why those are being > blocked. Are they really established? Or are they duplicates of existing packets that are being dropped because they cant be 'established' packets. I think you would need to give more information about the stream to figure out what the cause is. -- Stephen J Smoogen. CSIRT/Linux System Administrator
