On Wed, 2024-09-25 at 18:18 +0000, Slavko wrote: > > You can consider to extend netfilter connection timeouts. This seems like the ideal solution. But which timeout would I extend to keep a connection valid for some period of time after netfilter has seen the close of a (TCP for example) session? > You have two options with TCP: > > + setup kernel knob to consider NEW packet without SYN > as invalid and drop INVALID packets But I do want to continue to log and drop otherwise (other than for very recently closed session) INVALID packets. I just don't want packets that are from a connection that was recently closed to be considered INVALID. > + drop NEW TCP packets without SYN by exact FW rule But I don't want to drop all/any TCP packets without a SYN if they were never part of a recently closed session. I still want to log port probing for example. > A little complicated with UDP, If there is a timeout after a closed "session" before it's considered INVALID, it shouldn't be any more complicated for UDP than TCP since both have concepts of VALID/ACTIVE and INVALID sessions. They just consider when they are "closed" differently (i.e. TCP with FIN packets and UDP after a timeout of connection idleness). > For both (TCP/UDP) consider to add more conditions, as sport, > ephemeral dports, etc... There are no more conditions I can add that help determine if packets are part of a recently closed session or not, AFAIU. Cheers, b.