Ack/Fin packets dropped.
Ian Jones
ian@dsl081-056-052.dsl-isp.net
Mon, 30 Jul 2001 10:52:35 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Monday 30 July 2001 10:41, Alexander Demenshin wrote:
> On Mon, Jul 30, 2001 at 07:30:10PM +0200, Patrick Schaaf wrote:
> > > Perhaps - but obviously not long enough. I have dozens of those log
> > > entries every day on my very low-traffic home firewall.
> >
> > Do they demonstrably break functionality, or just make you nervous?
>
> Well, alternative to new "buttons" would be opportunity to filter those
> log entries (which, in turn, just pollute log files and it is easy to
> miss something important).
>
> Is there any filtering opportunity? I fear - no, though... On one of my
> systems (proxy) I see thousands of such entries every day, and this is
> not very busy proxy, BTW...
Well actually, yes...you can filter them. I have a similar problem with a
news outsource that performs load balancing and it often does the same thing.
The way I filter it is:
# flaky nntp server closes
iptables -A INPUT -i eth0 -s 207.126.96/19 -p tcp --tcp-flags \
ACK,FIN ACK,FIN --sport 119 -m string --string \
'closing connection - goodbye' -j ACCEPT
I suppose I could just drop it too.
Can anyone comment on the relative efficiency of the string match as compared
to other matching functions?
-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.
iD8DBQE7ZZ7kwBVKl/Nci0oRAmM7AKDdZtCJOezEcOkgirt1DwOpfADzSACfdBUP
EFeJ+/fJc9gLN94era216Zo=
=d8fQ
-----END PGP SIGNATURE-----