Re: [Shorewall-users] logged drops with ACK PSH

Thu, 06 Sep 2018 12:14:49 -0700 

On 09/05/2018 02:36 PM, Brian J. Murrell wrote:
> I'm noticing an increase in the following sort of packet drop logs from
> Shorewall:
> 
> Sep  2 17:08:56 gw kernel: [28287.557719] Shorewall:net2fw:DROP:IN=eth0.2 
> OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57081 DF 
> PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 
> Sep  2 17:08:56 gw kernel: [28287.804612] Shorewall:net2fw:DROP:IN=eth0.2 
> OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57082 DF 
> PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 
> Sep  2 17:08:56 gw kernel: [28288.045603] Shorewall:net2fw:DROP:IN=eth0.2 
> OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57083 DF 
> PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 
> Sep  2 17:08:57 gw kernel: [28288.532529] Shorewall:net2fw:DROP:IN=eth0.2 
> OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57084 DF 
> PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 
> 
> They are part of what should be a legitimate TCP session.  Are they
> perhaps straggler packets that come in after the TCP session has been
> shut down and removed from the conntrack table?

I suspect that is exactly what they are. Their logging was previously
suppressed by the NotSyn action invoked out of the Drop action.
> 

-Tom

-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to