Strange package logged
Anders Peter Fugmann
afu@fugmann.dhs.org
Fri, 17 Aug 2001 16:17:53 +0200
Nigel Morse wrote:
>>As to allowing ICMP packages, I have the rule:
>>
>>iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>
>
> Hmmm. I beginning to have strong doubts about UDP connection tracking
> (which, let's face it, is a guess at the best of times - how do you
> connection track a connectionless protocol) as the only way I can get DNS to
> work is to just allow UDP to and from my DNS servers (I know their IPs so
> that restricts it a bit). For ICMP I allow certain types, limit
Quite right, but I have seen it work (I using it) with DNS.
Still, All packages should fall under one of the three states, should it
not?
others and
> block some entirely.
> I only use state for TCP even though it's supposed to work for other
> protocols.
>
> As to the possible linux tojan, I don't know I'm afraid - I'm currently
> worried as I've seen another of my linux box producing a SYN FIN PSH URG
> packet and now a few others - but only to port 80 of 1 machine (which is my
> desktop one!)
>
Don't you mean originatin from port 80? If thats the case, then I've
seen it too.
I believe that I read that it is due the the ip_conntrack loosing the
connection too early, late SYN FIN packages will hit your INPUT queue,
as thus regarded as NEW. I filtered it out, to avoid spamming of my logs.
> Cheers
> Nigel
>
>
Regards
Anders Fugmann