André Paulsberg-Csibi (IBM Consultant) <Andre.Paulsberg-Csibi@xxxxxxxx> wrote: > I have LOG&DROP option rule for both states INVALID and NEW using the "ctstate" function , rule 19/20 and 22/23 . > However as the log shows over time (at bottom) I sometimes have packets LOG&DROP for the "ctstate NEW" that I suspect should not be matched there . > > I am assuming it is either a bug or a "feature" , so my question is simply if this is "normal" or if this is something that may happen by "fault" , > and what is the "cause" of it and can it be "fixed" in the state engine itself ( not with rules checking for SYN bit and such ) > ( as far as I understand the basis of a FireWall state engine , a TCP packet should never have NEW STATE unless the SYN bit is set ) Depends on net.netfilter.nf_conntrack_tcp_loose setting. If 1, it will also pick up connections mid-stream. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
