On Fri, 2018-10-05 at 15:24 +0000, André Paulsberg-Csibi (IBM Consultant) wrote: > HI , Hi, > When you get PSH ACK packet from a SERVICE like IRC , that is > typically caused by 4 different scenarios ( there are others ) > > 1. Your client recently abruptly closed ( RST ) the session , and the > SERVICE had not received the RST prior to sending your client new > session data > 2. Your client closed the session with 4 way FIN , but the service > side for some reason did not acknowledge the closing prior to sending > additional session data . > 3. Some other unit on the path sent ( RST ) for the traffic , causing > a similar result as #1 > 4. The traffic is not related to your active session , and might also > be from an unknown 3. party So, in any/all of these cases, conntrack immediately stops allowing these packages to reach their recipient, yes? Is there any way to adjust this so that there is some kind of "hang time" after a session closes to let any stragglers drain without being logged as "suspicious activity"? I.e. It is very different to receive packets that may no longer be valid for a connection that was valid only moments ago than it is to receive completely unsolicited "port-knocking" packets. I'm looking to allow for some kind of "grace time" after a connection closes to allow the network to drain of straggling traffic for that connection. Cheers, b.
Attachment:
signature.asc
Description: This is a digitally signed message part