I have a "new not syn" packet needed
Thu, 3 Jan 2002 18:29:26 +0000
At 16:20 on 3 Jan 02, Bruno Negr=E3o wrote about Re: I have a "new not sy=
> Hy Antony, thank you for the excelent explanation.
> Now, as you see in the kernel log, my firewall is dropping my own FIN
> packets that would be sent to the remote machine. Would it cause that th=
> both machines keep wainting for the FIN packets? (supposing that my mach=
> would try to terminate the connection.)
Nothing will get upset if it doesn't receive a FIN packet. I don't know
of any application which positively *requires* the connection to be taken
down in this way (as I said, many systems simply stop talking to each
other and don't bother sending FINs at all).
No, I think the only potential disadvantage to dropping these packets is
that your firewall (and any other stateful inspection routers along the
way) will keep an entry in the connection table for longer than it needs
to be there. That won't harm an application, though.