> > All of these FINs go through, but never receive an ACK (why?).
>
> Because the other side sucks and decided to violate the TCP RFC by fast
> closing connections without waiting proper session shutdown to free
> sockets quickly and since that is not enough they even decided to not
> send a RST
On Dec 23 20:17:23, Jan Stary wrote:
> Speculation: this looks to me like an end of a valid http session:
> an internal clients reads a web page, and probably a few images,
> everything goes through, but the last FIN does not. The first SYN
> creates state that lets the subseque
On Thu, Dec 23, 2010 at 08:17:23PM +0100, Jan Stary wrote:
> Speculation: this looks to me like an end of a valid http session:
> an internal clients reads a web page, and probably a few images,
> everything goes through, but the last FIN does not. The first SYN
> creates state
Speculation: this looks to me like an end of a valid http session:
an internal clients reads a web page, and probably a few images,
everything goes through, but the last FIN does not. The first SYN
creates state that lets the subsequent packets through. Doesn't the
last FIN
set skip on lo
set block-policy drop
set timeout tcp.finwait 900
set timeout tcp.closing 900
(There also an adaptive setting based on load)
Your client, if its really a mac, may have a sysctl like
...net.inet.tcp.finwait2_timeout: 6
... net.inet.tcp.finwait2_timeo
stare.cz.54254> www.ihned.cz.www: F 2622397051:2622397051(0)
seems to me to be that case (right?).
The only communication that the internal client (mac.stare.cz) has with
the outside host (www.ihned.cz) is that a browser (firefox) is used
to look at a webpage. If the internal clients does the
tare.cz.54254 > www.ihned.cz.www: F 2622397051:2622397051(0)
seems to me to be that case (right?).
The only communication that the internal client (mac.stare.cz) has with
the outside host (www.ihned.cz) is that a browser (firefox) is used
to look at a webpage. If the internal clients does the same with lynx,
there are no blocked FIN packets on the internal interface.
What am I missing here?
Thank you for your time
Jan
On Wed, Dec 22, 2010 at 5:41 PM, Jan Stary wrote:
> Speculation: this looks to me like an end of a valid http session:
> an internal clients reads a web page, and probably a few images,
> everything goes through, but the last FIN does not. The first SYN
> creates state that lets the subsequent pa
This is -current/i386 serving as a gateway for a home network.
See the full pf.conf below (it does the obvious: let everything out,
rdr-to the internal www server, pass internal services such as dns,
block everything else).
Now /var/log/pflog gets filled with what one could expect -
bad guys tryin
9 matches
Mail list logo
