[CS-FSLUG] Firewall fights
Tim Young
Tim.Young at LightSys.org
Wed Jan 25 10:30:35 CST 2006
Ed Hurst wrote:
>Tim Young wrote:
>
>
>>I could translate what you are saying a few ways, so before I
>>make a fool of myself answering with what I suspect, I thought I would
>>verify I have read your email correctly.
>>
>>
>
>Sure. I'm quite certain I make a fool of myself to some degree in this
>whole thread, and I've gotten used to it :-)
>
>
>
Well, mainly it was more of my not wanting to type up 15 minutes of an
email if it turned out that I was totally off the mark. But I was
correct in how I read what you were saying.
>This is a sample from the Quicktables script I posted earlier;
>
>Jan 24 11:00:12 krunch kernel: tcp connection: IN=lan0 OUT=
>MAC=00:40:2b:38:4d:21:00:12:88:8d:2a:71:08:00 SRC=64.66.170.95
>DST=192.168.1.65 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=8 DF PROTO=TCP
>SPT=80 DPT=43456 WINDOW=0 RES=0x00 ACK RST URGP=0
>
>The website I visited is sending me an "ack rst" and these appear
>unanimously blocked. During such blockage, service was a bit slower than
>normal for this machine only.
>
>
I have heard this explained to me. Sadly, I have forgotten what the
"answer" was. But here is what I have. The guy who explained it to me
is out of touch at the moment so it wil take another week before I can
get the rest of the answer.
The ACK RST is a strange packet. The packet basically says, "I
acknowledge that you have just closed my connection." In TCP, the SYN
packets are the start of a conversation, ACK packets are
acknowledgements of things going on, and a RST is a termination packet.
During a TCP conversation, the firewall tracks it through a table in the
NAT area of the kernel. It knows every conversation going, and tracks
which computer originated the conversation behind the natted interface.
Your client has send a RST packet to the server. Your firewall has seen
the RST flow by, and says to itself, "This conversation is over" and it
shuts down the NAT table for that conversation (this is a good thing).
When the server recieves the RST, it decides to ge the last laugh in,
and responds with an extra acknowledgement, a "ACK-RST" (I acknowledge
your "Reset"). By the time that final packet gets to your firewall, the
firewall has shut down the conversation trail, and it treats that packet
as if it were a new conversation of its own.
There is somethign you can do about it. But I forget what. It may be
that you keep the conversation trail open for a brief second after it
has stopped, or there is a special flag in the kernel for it...
Actually, it might have been a kernek upgrade that solved the problem.
If it is worth it, I can get the answer in a week. But, if nothing
else, you can safely ignore the ACK-RST for now.
- Tim Young
More information about the Christiansource
mailing list