I'm noticing an increase in the following sort of packet drop logs from iptables: Sep 2 17:08:56 gw kernel: [28287.557719] Shorewall:net2fw:DROP:IN=eth0.2 OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57081 DF PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 Sep 2 17:08:56 gw kernel: [28287.804612] Shorewall:net2fw:DROP:IN=eth0.2 OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57082 DF PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 Sep 2 17:08:56 gw kernel: [28288.045603] Shorewall:net2fw:DROP:IN=eth0.2 OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57083 DF PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 Sep 2 17:08:57 gw kernel: [28288.532529] Shorewall:net2fw:DROP:IN=eth0.2 OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57084 DF PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 They are part of what should be a legitimate TCP session. Are they perhaps straggler packets that come in after the TCP session has been shut down and removed from the conntrack table? If so, is there any way to extend the timeout of removing the entry from the conntrack table so that these stragglers don't look like nefarious activity? Or are these something else I am not thinking of? Cheers, b.
Attachment:
signature.asc
Description: This is a digitally signed message part
