tcp teardown delay?
From: /dev/null (dev'0x2e'null@BeginThread.com)
Date: 04/23/03
- Next message: Georg Armbruster: "Re: secure ftp and ssh ?"
- Previous message: charly: "secure ftp and ssh ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "/dev/null" <dev'0x2e'null@BeginThread.com> Date: Wed, 23 Apr 2003 13:49:46 GMT
2.4.18 kernel
I'm seeing some long delays (~ 1.5 hr) on some tcp teardowns on connections
traversing my linux firewall and was wondering if this is normal. It ends
up tripping over my firewall (because the state awareness is gone by then)
and looking like a scan. Here's the pertinent logs at the end of the
connection starting with the first ACK FIN:
Apr 22 18:15:48 ALPHA kernel: incoming FORWARD: IN=eth0 OUT=eth2
SRC=207.68.172.245 DST=192.168.1.6 LEN=40 TOS=0x00 PREC=0x00 TTL=239
ID=59301 PROTO=TCP SPT=80 DPT=3778 WINDOW=8190 RES=0x00 ACK FIN URGP=0
Apr 22 18:15:48 ALPHA kernel: incoming FORWARD: IN=eth0 OUT=eth2
SRC=207.68.172.245 DST=192.168.1.6 LEN=40 TOS=0x00 PREC=0x00 TTL=239
ID=59303 PROTO=TCP SPT=80 DPT=3777 WINDOW=8190 RES=0x00 ACK FIN URGP=0
Apr 22 18:15:48 ALPHA kernel: incoming FORWARD: IN=eth2 OUT=eth0
SRC=192.168.1.6 DST=207.68.172.245 LEN=40 TOS=0x00 PREC=0x00 TTL=127
ID=61164 DF PROTO=TCP SPT=3777 DPT=80 WINDOW=8760 RES=0x00 ACK URGP=0
Apr 22 18:15:49 ALPHA kernel: incoming FORWARD: IN=eth0 OUT=eth2
SRC=207.68.172.245 DST=192.168.1.6 LEN=40 TOS=0x00 PREC=0x00 TTL=239
ID=18236 PROTO=TCP SPT=80 DPT=3778 WINDOW=8190 RES=0x00 ACK FIN URGP=0
Apr 22 18:15:49 ALPHA kernel: incoming FORWARD: IN=eth2 OUT=eth0
SRC=192.168.1.6 DST=207.68.172.245 LEN=40 TOS=0x00 PREC=0x00 TTL=127
ID=61420 DF PROTO=TCP SPT=3778 DPT=80 WINDOW=8607 RES=0x00 ACK URGP=0
# two minutes later comes a reset, by then iptables forgot about this
connection and thinks it's input, not a forward:
Apr 22 18:17:26 ALPHA kernel: incoming INPUT: IN=eth0 OUT=
MAC=00:40:05:82:98:00:00:0a:42:6d:3c:a8:08:00 SRC=207.68.172.245
DST=XXX.TER.NAL.IP LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=8405 PROTO=TCP
SPT=80 DPT=3778 WINDOW=9300 RES=0x00 RST URGP=0
# so it drops it and looks like a scan in the logs (until I pull the whole
connection):
Apr 22 18:17:26 ALPHA kernel: Default DROPing INPUT: IN=eth0 OUT=
MAC=00:40:05:82:98:00:00:0a:42:6d:3c:a8:08:00 SRC=207.68.172.245
DST=XXX.TER.NAL.IP LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=8405 PROTO=TCP
SPT=80 DPT=3778 WINDOW=9300 RES=0x00 RST URGP=0
# And again because the first one was DROPed
Apr 22 18:17:26 ALPHA kernel: incoming INPUT: IN=eth0 OUT=
MAC=00:40:05:82:98:00:00:0a:42:6d:3c:a8:08:00 SRC=207.68.172.245
DST=XXX.TER.NAL.IP LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=8408 PROTO=TCP
SPT=80 DPT=3777 WINDOW=9300 RES=0x00 RST URGP=0
# And it DROPs to, looking like two scans per second:
Apr 22 18:17:26 ALPHA kernel: Def DROPing INPUT: IN=eth0 OUT=
MAC=00:40:05:82:98:00:00:0a:42:6d:3c:a8:08:00 SRC=207.68.172.245
DST=XXX.TER.NAL.IP LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=8408 PROTO=TCP
SPT=80 DPT=3777 WINDOW=9300 RES=0x00 RST URGP=0
# finally the client machine decides it needs to reset the connection, over
an hour and a half later:
Apr 22 19:48:21 ALPHA kernel: incoming FORWARD: IN=eth2 OUT=eth0
SRC=192.168.1.6 DST=207.68.172.245 LEN=40 TOS=0x00 PREC=0x00 TTL=127
ID=41499 DF PROTO=TCP SPT=3778 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
The client machine is windoze if that helps (I find it usually hurts...).
Why are these two trying to do resets after ACK FIN? And then why does the
client try to reset after an hour and a half?
Thanks for any insight.
- Next message: Georg Armbruster: "Re: secure ftp and ssh ?"
- Previous message: charly: "secure ftp and ssh ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
