Problems when closing connections

Thu, 14 Sep 2000 01:48:22 +0000

Hello,

--Snip--

> The tcpdump for the above connections :
> 
> here the connection starts propperly :
> 
> 14:40:54.983341 aaa.aaa.aaa.aaa.1508 > bbb.bbb.bbb.bbb.8080: S
> 304112:304112(0) win 8192 <mss 1460> (DF)
> 14:40:54.983669 bbb.bbb.bbb.bbb.8080 > aaa.aaa.aaa.aaa.1508: S
> 3949880133:3949880133(0) ack 304113 win 5840 <mss 1460> (DF)
> 14:40:54.983983 aaa.aaa.aaa.aaa.1508 > bbb.bbb.bbb.bbb.8080: . 1:1(0)
> ack 1 win 8760 (DF)
> 14:40:55.008296 aaa.aaa.aaa.aaa.1508 > bbb.bbb.bbb.bbb.8080: P
> 1:376(375) ack 1 win 8760 (DF)
> 
> Here is some propper data exchange :
> 14:40:55.008605 bbb.bbb.bbb.bbb.8080 > aaa.aaa.aaa.aaa.1508: . 1:1(0)
> ack 376 win 6432 (DF)
> 14:40:55.032412 bbb.bbb.bbb.bbb.8080 > aaa.aaa.aaa.aaa.1508: .
> 1:1461(1460) ack 376 win 6432 (DF)
> 14:40:55.033097 bbb.bbb.bbb.bbb.8080 > aaa.aaa.aaa.aaa.1508: .
> 1461:2921(1460) ack 376 win 6432 (DF)
> 14:40:55.035857 aaa.aaa.aaa.aaa.1508 > bbb.bbb.bbb.bbb.8080: .
> 376:376(0) ack 2921 win 8760 (DF)
> 14:40:55.036162 bbb.bbb.bbb.bbb.8080 > aaa.aaa.aaa.aaa.1508: P
> 2921:4030(1109) ack 376 win 6432 (DF)
> 14:40:55.037934 aaa.aaa.aaa.aaa.1508 > bbb.bbb.bbb.bbb.8080: .
> 376:376(0) ack 4030 win 7651 (DF)
> 14:40:55.039060 bbb.bbb.bbb.bbb.8080 > aaa.aaa.aaa.aaa.1508: P
> 4030:5304(1274) ack 376 win 6432 (DF)
> 14:40:55.162294 aaa.aaa.aaa.aaa.1508 > bbb.bbb.bbb.bbb.8080: .
> 376:376(0) ack 5304 win 8760 (DF)
> 14:40:56.523743 aaa.aaa.aaa.aaa.1508 > bbb.bbb.bbb.bbb.8080: P
> 376:718(342) ack 5304 win 8760 (DF)
> 14:40:56.524011 bbb.bbb.bbb.bbb.8080 > aaa.aaa.aaa.aaa.1508: .
> 5304:5304(0) ack 718 win 7504 (DF)
> 14:40:56.737930 bbb.bbb.bbb.bbb.8080 > aaa.aaa.aaa.aaa.1508: P
> 5304:5676(372) ack 718 win 7504 (DF)
> 14:40:56.864608 aaa.aaa.aaa.aaa.1508 > bbb.bbb.bbb.bbb.8080: .
> 718:718(0) ack 5676 win 8388 (DF)
> 
> And here the firewall tries to close the connection correctly :
> 14:42:57.534025 bbb.bbb.bbb.bbb.8080 > aaa.aaa.aaa.aaa.1508: F
> 5676:5676(0) ack 718 win 7504 (DF)
> 14:42:57.534695 aaa.aaa.aaa.aaa.1508 > bbb.bbb.bbb.bbb.8080: .
> 718:718(0) ack 5677 win 8388 (DF)
> 

This looks ok.
At this point any further packets from machine aaa.aaa.aaa.aaa are
neither establishing a new connection nor part of an established
connection anymore.  So I guess your logging rules are catching them at
that point.

> here starts now the packets which creates the log entries of ip tables :
> 14:48:38.352992 aaa.aaa.aaa.aaa.1508 > bbb.bbb.bbb.bbb.8080: P
> 718:1012(294) ack 5677 win 8388 (DF)
> 14:48:38.353825 aaa.aaa.aaa.aaa.1508 > bbb.bbb.bbb.bbb.8080: F
> 1012:1012(0) ack 5677 win 8388 (DF)
> 14:48:40.093555 aaa.aaa.aaa.aaa.1508 > bbb.bbb.bbb.bbb.8080: FP
> 718:1012(294) ack 5677 win 8388 (DF)
> 14:48:43.698454 aaa.aaa.aaa.aaa.1508 > bbb.bbb.bbb.bbb.8080: FP
> 718:1012(294) ack 5677 win 8388 (DF)
> 14:48:50.908242 aaa.aaa.aaa.aaa.1508 > bbb.bbb.bbb.bbb.8080: FP
> 718:1012(294) ack 5677 win 8388 (DF)
> 14:49:05.327797 aaa.aaa.aaa.aaa.1508 > bbb.bbb.bbb.bbb.8080: FP
> 718:1012(294) ack 5677 win 8388 (DF)
> 14:49:34.166930 aaa.aaa.aaa.aaa.1508 > bbb.bbb.bbb.bbb.8080: FP
> 718:1012(294) ack 5677 win 8388 (DF)
> 
> Is this a problem of iptables ?

I don't think so, it actually looks like it's working ok.  Machine
aaa.aaa.aaa.aaa is sending additional packets related to a connection
that has already been torn down, and is _really_ eager to send that last
294 bytes 6 minutes after the fact.  Brain dead pc maybe, I dunno. 
What's it running?

I'm running 2.4-test7 on my firewall with similar match rules, I'll keep
my eye out for similar traffic.

Steve.

> 
> Uli
> --
> Ulrich Eckhardt                         Tr@nscom
> http://www.uli-eckhardt.de              http://www.transcom.de
>                                         Lagerstraße 11-15 A8
>                                         64807 Dieburg Germany