Re: Allowing closed connections time to drain before logging packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2024-09-25 at 18:18 +0000, Slavko wrote:
> 
> You can consider to extend netfilter connection timeouts.

This seems like the ideal solution.  But which timeout would I extend
to keep a connection valid for some period of time after netfilter has
seen the close of a (TCP for example) session?

> You have two options with TCP:
> 
> + setup kernel knob to consider NEW packet without SYN
> as invalid and drop INVALID packets

But I do want to continue to log and drop otherwise (other than for
very recently closed session) INVALID packets.  I just don't want
packets that are from a connection that was recently closed to be
considered INVALID.

> + drop NEW TCP packets without SYN by exact FW rule

But I don't want to drop all/any TCP packets without a SYN if they were
never part of a recently closed session.  I still want to log port
probing for example.

> A little complicated with UDP,

If there is a timeout after a closed "session" before it's considered
INVALID, it shouldn't be any more complicated for UDP than TCP since
both have concepts of VALID/ACTIVE and INVALID sessions.  They just
consider when they are "closed" differently (i.e. TCP with FIN packets
and UDP after a timeout of connection idleness).


> For both (TCP/UDP) consider to add more conditions, as sport,
> ephemeral dports, etc...

There are no more conditions I can add that help determine if packets
are part of a recently closed session or not, AFAIU.

Cheers,
b.






[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux