Hi , I have LOG&DROP option rule for both states INVALID and NEW using the "ctstate" function , rule 19/20 and 22/23 . However as the log shows over time (at bottom) I sometimes have packets LOG&DROP for the "ctstate NEW" that I suspect should not be matched there . I am assuming it is either a bug or a "feature" , so my question is simply if this is "normal" or if this is something that may happen by "fault" , and what is the "cause" of it and can it be "fixed" in the state engine itself ( not with rules checking for SYN bit and such ) ( as far as I understand the basis of a FireWall state engine , a TCP packet should never have NEW STATE unless the SYN bit is set ) ( I cannot rule at that the LOG is the "bug" either , meaning the packet actual has the SYN bit set , but logs shows different ) srv001:~/FireWall # iptables --line-numbers -nvL INPUT Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 23M 1954M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 2 2622K 783M in-eth0 all -- eth0 * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix "FW-INVALID-INPUT " 5 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 srv001:~/FireWall # iptables --line-numbers -nvL in-eth0 Chain in-eth0 (1 references) num pkts bytes target prot opt in out source destination 1 2136K 756M DROP all -- * * AA.BB.CC.* 0.0.0.0/0 PKTTYPE = broadcast 2 2383 181K ACCEPT all -- * * H.O.S.T 0.0.0.0/0 ctstate NEW [cut] 19 700 31862 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 6 level 4 prefix "FW-IN-INVALID " 20 700 31862 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 21 1644 99318 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 limit: above 5/min burst 5 mode srcip htable-expire 30000 22 7459 305K LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW LOG flags 6 level 4 prefix "FW-IN-DROP-TCP " 23 7459 305K DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW 24 359 123K LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 4 level 4 prefix "FW-IN-DROP-UDP " 25 359 123K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 26 2 80 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 4 level 4 prefix "FW-IN-DROP-ICMP " 27 2 80 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 28 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix "FW-IN-DROP-UNKNOWN " 29 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Apr 15 20:25:31 FW-IN-DROP-TCP IN=eth0 OUT= SRC=178.57.222.100 DST=AA.BB.CC.DD LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=3897 PROTO=TCP SPT=25081 DPT=47278 WINDOW=16384 RES=0x00 ACK URGP=0 Apr 15 20:31:24 FW-IN-DROP-TCP IN=eth0 OUT= SRC=178.57.222.100 DST=AA.BB.CC.DD LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=50634 PROTO=TCP SPT=25081 DPT=51929 WINDOW=16384 RES=0x00 ACK URGP=0 Apr 18 22:46:34 FW-IN-DROP-TCP IN=eth0 OUT= SRC=212.224.121.150 DST=AA.BB.CC.DD LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=45792 PROTO=TCP SPT=25565 DPT=45463 WINDOW=16384 RES=0x00 ACK URGP=0 Apr 18 22:56:44 FW-IN-DROP-TCP IN=eth0 OUT= SRC=212.224.121.150 DST=AA.BB.CC.DD LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=41802 PROTO=TCP SPT=25577 DPT=49359 WINDOW=16384 RES=0x00 ACK URGP=0 Apr 18 23:27:56 FW-IN-DROP-TCP IN=eth0 OUT= SRC=212.224.121.150 DST=AA.BB.CC.DD LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=44249 PROTO=TCP SPT=25577 DPT=42601 WINDOW=16384 RES=0x00 ACK URGP=0 Apr 19 02:21:32 FW-IN-DROP-TCP IN=eth0 OUT= SRC=212.224.121.150 DST=AA.BB.CC.DD LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=36855 PROTO=TCP SPT=25577 DPT=50413 WINDOW=16384 RES=0x00 ACK URGP=0 Apr 19 22:46:57 FW-IN-DROP-TCP IN=eth0 OUT= SRC=79.133.37.3 DST=AA.BB.CC.DD LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=55848 PROTO=TCP SPT=25565 DPT=43052 WINDOW=16384 RES=0x00 ACK URGP=0 Apr 19 22:59:45 FW-IN-DROP-TCP IN=eth0 OUT= SRC=79.133.37.3 DST=AA.BB.CC.DD LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=26180 PROTO=TCP SPT=25565 DPT=40630 WINDOW=16384 RES=0x00 ACK URGP=0 Apr 19 23:17:54 FW-IN-DROP-TCP IN=eth0 OUT= SRC=79.133.37.3 DST=AA.BB.CC.DD LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=114 PROTO=TCP SPT=25565 DPT=44993 WINDOW=16384 RES=0x00 ACK URGP=0 Apr 19 23:19:10 FW-IN-DROP-TCP IN=eth0 OUT= SRC=79.133.37.3 DST=AA.BB.CC.DD LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=18161 PROTO=TCP SPT=25565 DPT=48617 WINDOW=16384 RES=0x00 ACK URGP=0 Apr 25 13:26:42 FW-IN-DROP-TCP IN=eth0 OUT= SRC=166.176.57.49 DST=AA.BB.CC.DD LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=27527 PROTO=TCP SPT=3074 DPT=43321 WINDOW=16384 RES=0x00 ACK URGP=0 Apr 26 11:06:45 FW-IN-DROP-TCP IN=eth0 OUT= SRC=122.117.167.243 DST=AA.BB.CC.DD LEN=552 TOS=0x00 PREC=0x00 TTL=53 ID=61084 PROTO=TCP SPT=4025 DPT=50674 WINDOW=36897 RES=0x00 ACK URGP=0 May 01 09:40:52 FW-IN-DROP-TCP IN=eth0 OUT= SRC=220.132.126.157 DST=AA.BB.CC.DD LEN=552 TOS=0x00 PREC=0x00 TTL=52 ID=32904 PROTO=TCP SPT=23085 DPT=10580 WINDOW=61079 RES=0x00 ACK URGP=0 May 07 10:36:19 FW-IN-DROP-TCP IN=eth0 OUT= SRC=220.132.175.144 DST=AA.BB.CC.DD LEN=552 TOS=0x00 PREC=0x00 TTL=52 ID=28464 PROTO=TCP SPT=52914 DPT=35349 WINDOW=6463 RES=0x00 ACK URGP=0 May 08 05:08:22 FW-IN-DROP-TCP IN=eth0 OUT= SRC=208.66.239.10 DST=AA.BB.CC.DD LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=28274 PROTO=TCP SPT=1935 DPT=32433 WINDOW=16384 RES=0x00 ACK URGP=0 May 08 05:13:06 FW-IN-DROP-TCP IN=eth0 OUT= SRC=208.66.239.10 DST=AA.BB.CC.DD LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=45061 PROTO=TCP SPT=1935 DPT=32433 WINDOW=16384 RES=0x00 ACK URGP=0 Best regards André Paulsberg-Csibi Senior Network Engineer IBM Services AS Sensitivity: Internal -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
