Mailing List Archive

Florent a écrit :

> Hi,
>
> My FW logs some packets from SMTP connections whereas I allow these packets :
>
> LOG : IN=eth0 OUT=eth1 ..... PROTO=TCP SPT=25 WINDOW=33215 RES=0x00 ACK PSH FIN UGRP=0
>
> rule : iptables -A inet-dmz -p tcp --sport smtp -m state --state ESTABLISHED -j ACCEPT
>
> Could someone point me to my error?
>
> Florent

I have noticed that some allowed packets are seomtimes logged. Some of them were HTTP, others
SMTP, ...


--
Mohamad

yeah, this is an ACK FIN packet problem where ACK FIN packets are not being
recognised as part of a connection - there has just been a big discussion on
this list about it. I'm gonna look into and post to the list when I have
something - may take a bit of time with other work etc. though. There
appear to be no bad effects on my network so far (AFAIK )

> -----Original Message-----
> From: Florent [mailto:florent@arcimex.com]
> Sent: 06 August 2001 10:53
> To: netfilter@lists.samba.org
> Subject: Strange SMTP packet
>
>
> Hi,
>
> My FW logs some packets from SMTP connections whereas I allow
> these packets :
>
> LOG : IN=eth0 OUT=eth1 ..... PROTO=TCP SPT=25
> WINDOW=33215 RES=0x00 ACK PSH FIN UGRP=0
>
> rule : iptables -A inet-dmz -p tcp --sport smtp -m state
> --state ESTABLISHED -j ACCEPT
>
>
> Could someone point me to my error?
>
>
> Florent
>

----- Original Message -----
From: Nigel Morse <N.Morse@hyperknowledge.com>
To: 'Florent' <florent@arcimex.com>; Netfilter (E-mail)
<netfilter@lists.samba.org>
Sent: Monday, August 06, 2001 1:50 PM
Subject: RE: Strange SMTP packet


> yeah, this is an ACK FIN packet problem where ACK FIN packets are not
being
> recognised as part of a connection - there has just been a big discussion
on
> this list about it. I'm gonna look into and post to the list when I have
> something - may take a bit of time with other work etc. though. There
> appear to be no bad effects on my network so far (AFAIK )
This is a known problem,but I don't know how to fix. Have I missed a patch
or something other?

Radel

> > yeah, this is an ACK FIN packet problem where ACK FIN packets are not
> being
> > recognised as part of a connection - there has just been a big discussion
> on
> > this list about it. I'm gonna look into and post to the list when I have
> > something - may take a bit of time with other work etc. though. There
> > appear to be no bad effects on my network so far (AFAIK )
> This is a known problem,but I don't know how to fix. Have I missed a patch
> or something other?

Like everybody else here, what you miss is something more than showing
of that log line. As far as I followed the threads, nobody ever reconstructed
what activity these mislogged packets resulted from. And without knowing
where those come from, how could anybody provide patches?

If somebody is able to show a full network trace of a proper TCP connection
which exhibits such a noisy end, I'm sure somebody will be able to guess
what the real reason is. And probably fix it. Until that happens...

regards
Patrick

----- Original Message -----
From: Patrick Schaaf <bof@bof.de>
To: Radel <netfilter@radel.yi.org>
Cc: Nigel Morse <N.Morse@hyperknowledge.com>; 'Florent'
<florent@arcimex.com>; Netfilter (E-mail) <netfilter@lists.samba.org>
Sent: Monday, August 06, 2001 2:23 PM
Subject: Re: Strange SMTP packet


> If somebody is able to show a full network trace of a proper TCP
connection
> which exhibits such a noisy end, I'm sure somebody will be able to guess
> what the real reason is. And probably fix it. Until that happens...
>
> regards
> Patrick
>

I'll start packet monitoring in few minutes. I hope I'll post some dumps
this evening.

Radel