What is ACK PSH FIN and why is it blocked?

John Lange john.lange at open-it.ca
Tue Aug 9 17:21:35 CEST 2005

I get quite a number of packets dropped as follows; This is packet from
my web server to a given host:

Aug  8 01:20:12 venus kernel: IN= OUT=eth0 SRC=<myServerIP>
DST=<someHost> LEN=471 TOS=0x00 PREC=0x00 TTL=64 ID=13332 DF PROTO=TCP
SPT=80 DPT=10067 WINDOW=1716 RES=0x00 ACK PSH FIN URGP=0

Here is an abbreviated version of the iptables ruleset which is in

iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p tcp --sport 80 -j ACCEPT

iptables -A OUTPUT -p any -j LOG

# Allow incoming data that is part of a connection we established
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# www server
iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 443 -j ACCEPT

iptables -A INPUT -p any -j LOG

So what is a packet with "ACK PSH FIN" set? I assume they are being
blocked because they are neither "SYN" nor part of an established
connection? But what are they and should they be allowed?

John Lange

More information about the netfilter mailing list