RE: [fw-wiz] Stateful inspect on return web traffic - eek!
From: Bill Royds (broyds_at_rogers.com)
Date: 12/11/03
- Previous message: Chris Ditri: "Re: [fw-wiz] Weird FW bridge stuff (Linux)"
- In reply to: Brett Charbeneau: "[fw-wiz] Stateful inspect on return web traffic - eek!"
- Next in thread: Brett Charbeneau: "RE: [fw-wiz] Stateful inspect on return web traffic - eek!"
- Reply: Brett Charbeneau: "RE: [fw-wiz] Stateful inspect on return web traffic - eek!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Brett Charbeneau'" <brett@wrl.org>, <firewall-wizards@honor.icsalabs.com> Date: Wed, 10 Dec 2003 19:07:22 -0500
That looks like the last packets of a TCP stream that are being rejected
because your firewall is taking down the connection after your outgoing fin
packet and not waiting on the server's fin-ack packet. It may be because you
have too short of a fin-wait timeout period in your tcp stack. Default is 2
minutes (which is much too long), while 30 seconds seems to be long enough
to prevent this but not so long that you queue too many sockets.
The host names corresponding to those IP addresses seem quit legitimate
216.75.202.105 is mail26m.collegeclub.com, 207.68.178.238 is rad.msn.com
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Brett
Charbeneau
Sent: December 9, 2003 11:33 AM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] Stateful inspect on return web traffic - eek!
Greetings,
If anyone can help me figure out what's going on with my logs, I'd
be EXTREMELY grateful!
I have a handful of firewalls around my institution that are using
the 2.4.20 Linux kernel, have iptables v1.2.7a, and default drop
policies. The workstations behind the firewalls are on NAT'd networks and
have these commands for connection tracking:
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
I've recently set up a Squid proxy with the same specifics but
obviously minus the NAT'd network. Except for the explicit allow
statements for the Squid process and necessary SSH access, the rules are
very simple - default drop except for related return traffic.
In all these instances, I have an iptables rule to log any dropped
packets and I've been seeing some really strange web-related *return*
traffic that isn't being allowed back in.
Me no get.
I've got an example below and they look to me to be replies to web
clients that *should* be associated with outgoing traffic but somehow
isn't and the traffic is being dropped.
I've not heard complaints about certain web sites being
unreachable, so the clients must be getting their traffic somehow, but
clearly something is amiss.
Any guidance or hints anyone can provide would be greatly
appreciated!
-- Brett Charbeneau, Network Administrator Tel: 757-259-7750 Williamsburg Regional Library FAX: 757-259-7798 7770 Croaker Road brett@wrl.org Williamsburg, VA 23188-7064 http://www.wrl.org Dec 9 11:19:45 reliant kernel: KILLED!: IN=eth0 OUT= MAC=00:10:4b:34:51:22:00:00:0c:5d:85:ae:08:00 SRC=216.75.202.105 DST=209.96.177.53 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=33958 DF PROTO=TCP SPT=80 DPT=49788 WINDOW=31856 RES=0x00 ACK FIN URGP=0 Dec 9 11:19:47 reliant kernel: KILLED!: IN=eth0 OUT= MAC=00:10:4b:34:51:22:00:00:0c:5d:85:ae:08:00 SRC=216.75.202.105 DST=209.96.177.53 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=34028 DF PROTO=TCP SPT=80 DPT=49788 WINDOW=31856 RES=0x00 ACK FIN URGP=0 Dec 9 11:19:47 reliant kernel: KILLED!: IN=eth0 OUT= MAC=00:10:4b:34:51:22:00:00:0c:5d:85:ae:08:00 SRC=207.68.178.238 DST=209.96.177.53 LEN=41 TOS=0x00 PREC=0x00 TTL=235 ID=50490 PROTO=TCP SPT=80 DPT=49476 WINDOW=16133 RES=0x00 ACK PSH URGP=0 Dec 9 11:19:49 reliant kernel: KILLED!: IN=eth0 OUT= MAC=00:10:4b:34:51:22:00:00:0c:5d:85:ae:08:00 SRC=216.75.202.105 DST=209.96.177.53 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=34417 DF PROTO=TCP SPT=80 DPT=49788 WINDOW=31856 RES=0x00 ACK FIN URGP=0 Dec 9 11:19:55 reliant kernel: KILLED!: IN=eth0 OUT= MAC=00:10:4b:34:51:22:00:00:0c:5d:85:ae:08:00 SRC=216.75.202.105 DST=209.96.177.53 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=34750 DF PROTO=TCP SPT=80 DPT=49788 WINDOW=31856 RES=0x00 ACK FIN URGP=0 Dec 9 11:19:58 reliant kernel: KILLED!: IN=eth0 OUT= MAC=00:10:4b:34:51:22:00:00:0c:5d:85:ae:08:00 SRC=216.75.203.112 DST=209.96.177.53 LEN=467 TOS=0x00 PREC=0x00 TTL=236 ID=20775 DF PROTO=TCP SPT=81 DPT=49378 WINDOW=10136 RES=0x00 ACK PSH FIN URGP=0 _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Chris Ditri: "Re: [fw-wiz] Weird FW bridge stuff (Linux)"
- In reply to: Brett Charbeneau: "[fw-wiz] Stateful inspect on return web traffic - eek!"
- Next in thread: Brett Charbeneau: "RE: [fw-wiz] Stateful inspect on return web traffic - eek!"
- Reply: Brett Charbeneau: "RE: [fw-wiz] Stateful inspect on return web traffic - eek!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
