On Wed, Sep 25, 2024 at 01:09:38PM -0400, Brian J. Murrell wrote: > I often see entries such as this being logged in my system log: > > IN=ens3 OUT= MAC=[redacted] SRC=[redacted] DST=10.75.26.3 LEN=74 TOS=0x00 PREC=0x00 TTL=43 ID=3769 DF PROTO=TCP SPT=33944 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0 > > I suspect these are packets that come straggling in after a TCP > connection has been shut down. Is there any way to have netfilter give > recently shut down TCP connections a bit of grace time before logging > packets that have been sent after they were shut down, just to reduce > the false-positive noise in my logs? These are packets logged through 'ct state invalid', right? > Same goes for UDP in fact: > > IN=eth0.2 OUT= MAC=[redacted] SRC=[reacted, remote IP] DST=[redacted, my local IP] LEN=99 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP SPT=443 DPT=37242 LEN=79 MARK=0x3f00 > > for, for example, QUIC connections. > > Cheers, > b. >
