On Wed, 2007-05-23 at 14:47 +0200, Gáspár Lajos wrote: > Hi, > > Pat Riehecky írta: > > I seem to be capturing way more packets than I intend (or even expect!). > > I am running squid and have the firewall rules below running on it. For > > some reason I am capturing hundreds of packets that I don't think should > > be caught. > > > Maybe someone is scanning you.... > > I have increased the timeouts in /proc/ (via sysctl) to fix this, but no > > dice. Anyone have any idea why the sample packet below would be > > captured? It is getting picked up by either the > > -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate INVALID -j DROP > > but sometimes the > > -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP > > > Take a look on nmap... > > The packet looks to have been requested by squid, it is coming on port > > 80... I also seem to be having the same behavior on the squid side > > where the FIN/ACK packets are being caught by the conntrack rule... > > > > I know I have something wrong, just what exactly is eluding me... > > > > Any help would be helpful! > > > Swifty > I am about 90% certain that I am not being scanned as a bunch of the dropped packets are coming from places like the New York Times, Microsoft, and Google. Admittedly they could be spoofed IP addresses. but the packets are all coming from 80 or 443 and they are all destined for TCP Ports in the ephemeral range. Additionally in my squid logs I have a corresponding entry requesting data from that server. All evidence I have points to some sort of conntrack timeout. Occasionally I can find the IP addresses in the output from iptstate, but... Thanks for the ideas, any chance for more theories? Pat
