Re: Conntrack rule timeout problem

To:	Pat Riehecky <prieheck@iwu.edu>
Subject:	Re: Conntrack rule timeout problem
From:	Gáspár Lajos <swifty@freemail.hu>
Date:	Wed, 23 May 2007 14:47:29 +0200
Cc:	netfilter@lists.netfilter.org
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	netfilter-list1@securepoint.com
In-reply-to:	<1179765250.12001.18.camel@thales.lan>
List-archive:	</pipermail/netfilter>
List-help:	<mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id:	General discussion and user questions <netfilter.lists.netfilter.org>
List-post:	<mailto:netfilter@lists.netfilter.org>
List-subscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
References:	<1179765250.12001.18.camel@thales.lan>
Sender:	netfilter-bounces@lists.netfilter.org
User-agent:	Thunderbird 2.0.0.0 (Windows/20070326)

To:

Pat Riehecky <prieheck@iwu.edu>

Subject:

Re: Conntrack rule timeout problem

From:

Gáspár Lajos <swifty@freemail.hu>

Date:

Wed, 23 May 2007 14:47:29 +0200

Cc:

netfilter@lists.netfilter.org

Delivered-to:

sp-com-lists@consult.net

Delivered-to:

netfilter-list1@securepoint.com

In-reply-to:

<1179765250.12001.18.camel@thales.lan>

List-archive:

</pipermail/netfilter>

List-help:

<mailto:netfilter-request@lists.netfilter.org?subject=help>

List-id:

General discussion and user questions <netfilter.lists.netfilter.org>

List-post:

<mailto:netfilter@lists.netfilter.org>

List-subscribe:

<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>

List-unsubscribe:

<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>

References:

<1179765250.12001.18.camel@thales.lan>

Sender:

netfilter-bounces@lists.netfilter.org

User-agent:

Thunderbird 2.0.0.0 (Windows/20070326)

Hi,

Pat Riehecky írta:

I seem to be capturing way more packets than I intend (or even expect!).
I am running squid and have the firewall rules below running on it.  For
some reason I am capturing hundreds of packets that I don't think should
be caught.

Maybe someone is scanning you....

I have increased the timeouts in /proc/ (via sysctl) to fix this, but no
dice.  Anyone have any idea why the sample packet below would be
captured? It is getting picked up by either the-A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate INVALID -j DROP
but sometimes the
-A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP

Take a look on nmap...

The packet looks to have been requested by squid, it is coming on port
80...  I also seem to be having the same behavior on the squid side
where the FIN/ACK packets are being caught by the conntrack rule...

I know I have something wrong, just what exactly is eluding me...

Any help would be helpful!

Swifty

<Prev in Thread]	Current Thread	[Next in Thread>
Conntrack rule timeout problem, Pat Riehecky Re: Conntrack rule timeout problem, Gáspár Lajos <= Re: Conntrack rule timeout problem, Pat Riehecky Re: Conntrack rule timeout problem, Gáspár Lajos Re: Conntrack rule timeout problem, Pat Riehecky

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Rules to block traffic form an interface to a netblock, trellmor
Next by Date:	Re: Bridge Transparent Proxy, Gáspár Lajos
Previous by Thread:	Conntrack rule timeout problem, Pat Riehecky
Next by Thread:	Re: Conntrack rule timeout problem, Pat Riehecky
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Rules to block traffic form an interface to a netblock, trellmor

Next by Date:

Re: Bridge Transparent Proxy, Gáspár Lajos

Previous by Thread:

Conntrack rule timeout problem, Pat Riehecky

Next by Thread:

Re: Conntrack rule timeout problem, Pat Riehecky

Indexes:

[Date] [Thread] [Top] [All Lists]