AW: TCP window tracking has bad side effects

Jozsef Kadlecsik kadlec at blackhole.kfki.hu
Wed Dec 1 13:58:35 CET 2004


On Wed, 1 Dec 2004, Lockenvitz Jan EXT wrote:

> i recently saw the same problem on a Checkpoint FW. The problem there
> was the blocked SYN packet.
> The packet was blocked because it had the same Src-IP:src-port and
> Dst-IP:dst-port than the old connection in the state table. So the
> SYN never reached the other box and no ACK packet (with old sequence and
> ack-nr) was send and of course no RST.

Because the man in the middle (netfilter) cannot know wether the
connection has already died and the current SYN is a true new request or a
SYN probe, the TCP window tracking code lets through the SYN packet. If
it's a real new connection request, the packet will be answered with a
proper SYN/ACK and the new connection will be handled properly. If it was
a SYN probe and we see an ACK as a reply, the old connection will remain
in the conntrack hash table.

Best regards,
Jozsef
-
E-mail  : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary



More information about the netfilter-devel mailing list