Supposing this 'four seconds' connectivity problem, leading to a timeout. On your example, A host FINs the connections. Afther that, connectivity is OK again. I really dont see the problem here. As the connection was already finished ( FIN ), it really seems unnecessary that firewall continues accepting packets of that connection. In this situation ( timeout with FIN ), connection would be really lost and should be redone. What do you think on that ? Sincerily, Leonardo Rodrigues ----- Original Message ----- From: "Michal Zalewski" <lcamtufat_private> To: "Leonardo Rodrigues" <coelhoat_private> Sent: Tuesday, December 11, 2001 3:47 PM Subject: Re: iptables 'syn but not new' packets > Imagine there is some kind of connectivity problem between your host, A, > and a remote server B. Your firewall might receive ICMP host unreachable > from a router, or A might simply FIN the connection due to a timeout. At > this point, your firewall table does not contain this connection anymore. > > But after a while, everything is back to normal, and remote host still > thinks it is connected to you (maybe it had different timeout settings, > maybe some lost packets arrived to it in the meantime), while your > firewall thinks it is not. Remote host sends a data packet (e.g. HTTP, > FTP, IRC, SMTP server "idle disconnect" message), and here we go.
This archive was generated by hypermail 2b30 : Thu Dec 13 2001 - 08:37:01 PST