Supposing this 'four seconds' connectivity problem, leading to a
timeout. On your example, A host FINs the connections. Afther that,
connectivity is OK again.
I really dont see the problem here. As the connection was already
finished ( FIN ), it really seems unnecessary that firewall continues
accepting packets of that connection. In this situation ( timeout with
FIN ), connection would be really lost and should be redone.
What do you think on that ?
Sincerily,
Leonardo Rodrigues
----- Original Message -----
From: "Michal Zalewski" <lcamtufat_private>
To: "Leonardo Rodrigues" <coelhoat_private>
Sent: Tuesday, December 11, 2001 3:47 PM
Subject: Re: iptables 'syn but not new' packets
> Imagine there is some kind of connectivity problem between your host,
A,
> and a remote server B. Your firewall might receive ICMP host
unreachable
> from a router, or A might simply FIN the connection due to a timeout.
At
> this point, your firewall table does not contain this connection
anymore.
>
> But after a while, everything is back to normal, and remote host still
> thinks it is connected to you (maybe it had different timeout
settings,
> maybe some lost packets arrived to it in the meantime), while your
> firewall thinks it is not. Remote host sends a data packet (e.g. HTTP,
> FTP, IRC, SMTP server "idle disconnect" message), and here we go.
This archive was generated by hypermail 2b30 : Thu Dec 13 2001 - 08:37:01 PST