On Wednesday 18 June 2008 20:37:27 Jan Engelhardt wrote:
> >> Jun 18 17:03:39 iahabs1 kernel: IN_DROP: IN=eth0 OUT=
> >> MAC=00:1c:23:ca:ec:1d:00:1b:53:87:68:c0:08:00 SRC=10.192.130.104
> >> DST=192.168.51.1 LEN=40 TOS=0x00 PREC=0x00 TTL=119 ID=5563 DF PROTO=TCP
> >> SPT=35557 DPT=80 WINDOW=65149 RES=0x00 ACK FIN URGP=0
> >
> > Because it is a FIN packet... = ! (NEW,RELATED or ESTABLISHED) but
> > INVALID !!!
>
> Seriously, FIN packets should not be dropped, otherwise a connection
> is lurking around until it times out.
Some port scanners use FIN-Packets ("FIN scan", "Xmas scan") to check whether
a RST is sent back (service listening) or the packet is just ignored (no
service there). In this case, incoming FIN packets won't belong to a
connection, are therefore INVALID, and can be dropped, if you think that
blocking this port scans enhances your security.
FIN packets should not be INVALID if there's an entry in the state table for
the connection they belong to anyway, or am I missing something?
Benedikt
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
