I often see entries such as this being logged in my system log: IN=ens3 OUT= MAC=[redacted] SRC=[redacted] DST=10.75.26.3 LEN=74 TOS=0x00 PREC=0x00 TTL=43 ID=3769 DF PROTO=TCP SPT=33944 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0 I suspect these are packets that come straggling in after a TCP connection has been shut down. Is there any way to have netfilter give recently shut down TCP connections a bit of grace time before logging packets that have been sent after they were shut down, just to reduce the false-positive noise in my logs? Same goes for UDP in fact: IN=eth0.2 OUT= MAC=[redacted] SRC=[reacted, remote IP] DST=[redacted, my local IP] LEN=99 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP SPT=443 DPT=37242 LEN=79 MARK=0x3f00 for, for example, QUIC connections. Cheers, b.
Attachment:
signature.asc
Description: This is a digitally signed message part
