conn_track dropping packets when it shouldn't

[Nigel Morse]

> Actually, if you look at 
> http://www.cs.princeton.edu/~jns/security/iptables/index.html#
> CONFIG and
> a little bit down the page you will find exactly this rule (I think
> that's where I have it from ;-)

I don't doubt that the rule came from somewhere :) 

My worry is that I thought the NEW match would check for the syn flag - and
so a rule that matches NEW and !syn should *never* match any packet.
However looking at the original log you sent, this rule is matching packets
with the ACK and FIN flags set.  To my mind a FIN/ACK packet should be part
of an ESTABLISHED connection, and if if the connection doesn't exist (or has
been dropped for whatever reason) then it should match the INVALID state.  I
have to wonder what is going on!

Cheers
Nigel