Non-deterministic non-matching in Connection Tracking

Discussion in 'Linux Networking' started by Cameron Kerr, Jul 11, 2004.

  1. Cameron Kerr

    Cameron Kerr Guest

    Kernel 2.6.7 compiled for k7, as provided by Debian Testing.

    This machine is located in a Co-lo, so kernel experimentation is not
    really much of an option.

    I have a firewall that I have set up that limits INPUT and OUTPUT (no
    FORWARD, it doesn't route).

    The rules work fine, and traffic works as expected. However, I see log
    messages from the kernel about packets that are being dropped. They are
    from friendly sources, and not particular to any service (currently seen
    with SSH, POP, and WWW).

    The only pattern that I have been able to discern is that all the
    packets are TCP, and have at least the ACK flag set, often also FIN and
    to a lesser degree PSH, and that these are all going on the OUTPUT
    chain (ie, in reply to the client). This would seem to indicate that
    the problem lies in the IPTables connection tracking module.

    I'm at a loss to explain any rational reason for this, except for a bug.
    Has anyone met this odd behaivour?
    Cameron Kerr, Jul 11, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.