I'm noticing an increase in the following sort of packet drop logs from Shorewall:
Sep 2 17:08:56 gw kernel: [28287.557719] Shorewall:net2fw:DROP:IN=eth0.2 OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57081 DF PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 Sep 2 17:08:56 gw kernel: [28287.804612] Shorewall:net2fw:DROP:IN=eth0.2 OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57082 DF PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 Sep 2 17:08:56 gw kernel: [28288.045603] Shorewall:net2fw:DROP:IN=eth0.2 OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57083 DF PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 Sep 2 17:08:57 gw kernel: [28288.532529] Shorewall:net2fw:DROP:IN=eth0.2 OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57084 DF PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 They are part of what should be a legitimate TCP session. Are they perhaps straggler packets that come in after the TCP session has been shut down and removed from the conntrack table? Or something else I am not thinking of? Cheers, b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
