Frances Flood
2007-Mar-26 14:29 UTC
Re: Expected handling of [SYN] when expecting[SYN, ACK]?
Hi Tom, Many thanks for that, that''s really helped. Netfilter is indeed dropping the packets as invalid. Thanks and regards, Frances -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: 23 March 2007 18:05 To: Shorewall Users Subject: Re: [Shorewall-users] Expected handling of [SYN] when expecting[SYN, ACK]? Frances Flood wrote:> Basically, if the machine behind Shorewall sends out a [SYN] message > but Shorewall then receives a [SYN] from the target rather than a > [SYN, ACK], would you expect Shorewall to block the [SYN] message or > allow it through?First of all, you should understand that Shorewall isn''t something that runs in your system and filters packets. Shorewall is a set of shell scripts that configures netfilter -- the IP packet filtering/mangling facility in the kernel. So Shorewall itself is not involved in interpreting TCP session startup.> > Is it possible for Shorewall to block messages without logging it in > any way, assuming maximum logging is switched on?There are a number of ways in which packets can be dropped silently. The most likely cause in this case is that Netfilter connection tracking is dropping them as invalid. You can see if that is happening by echo 255 >/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid modprobe ipt_LOG If you see packets being logged (they are logged on any console), then you can try manipulating /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose and ip_conntrack_tcp_be_liberal. I''ve taken a quick look and didn''t find the documentation for those so you''ll have to do the Google search. The Shorewall-generated netfilter ruleset can also silently drop packets through it''s ''Default Actions'' (see http://www.shorewall.net/Actions.html#Default). The method for disabling default actions depends on your Shorewall version -- you must use /etc/shorewall/actions if you are running Shorewall version 3.2 or earlier and you use the *_DEFAULT settings in shorewall.conf if you are running Shorewall 3.2. HTH, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV