AW: TCP window tracking has bad side effects

Jozsef Kadlecsik kadlec at
Wed Dec 1 13:58:35 CET 2004

On Wed, 1 Dec 2004, Lockenvitz Jan EXT wrote:

> i recently saw the same problem on a Checkpoint FW. The problem there
> was the blocked SYN packet.
> The packet was blocked because it had the same Src-IP:src-port and
> Dst-IP:dst-port than the old connection in the state table. So the
> SYN never reached the other box and no ACK packet (with old sequence and
> ack-nr) was send and of course no RST.

Because the man in the middle (netfilter) cannot know wether the
connection has already died and the current SYN is a true new request or a
SYN probe, the TCP window tracking code lets through the SYN packet. If
it's a real new connection request, the packet will be answered with a
proper SYN/ACK and the new connection will be handled properly. If it was
a SYN probe and we see an ACK as a reply, the old connection will remain
in the conntrack hash table.

Best regards,
E-mail  : kadlec at, kadlec at
PGP key :
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

More information about the netfilter-devel mailing list