ACK PSH blocked
Stephen J. Smoogen
smooge at gmail.com
Mon Nov 7 19:27:40 CET 2005
On 11/4/05, Carlos Pastorino <carlos.pastorino at gmail.com> wrote:
> Hi everyone,
> My question is targeted to understanding Netfilter, because I know
> that the dropped packets are not impacting on the connection.
> My firewall is configured like this (showing only the important information):
> IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> IPTABLES -A FORWARD -p TCP -i $INET -o $LAN --syn --dport http -j ACCEPT
> and I've been noticing that packets with the ACK PSH flags set are
> dropped during the connection.
> I know that it's not because of the connection tracking, since the
> drops are occurring during the connection, not a long time after the
> connection, so they are definitely ESTABLISHED packets. And since
> ESTABLISHED packet should get through, I wonder why those are being
Are they really established? Or are they duplicates of existing
packets that are being dropped because they cant be 'established'
I think you would need to give more information about the stream to
figure out what the cause is.
Stephen J Smoogen.
CSIRT/Linux System Administrator
More information about the netfilter