[CS-FSLUG] Firewall fights

Tim Young Tim.Young at LightSys.org
Wed Jan 25 10:30:35 CST 2006 


Ed Hurst wrote:

>Tim Young wrote:
>  
>
>>I could translate what you are saying a few ways, so before I 
>>make a fool of myself answering with what I suspect, I thought I would 
>>verify I have read your email correctly.
>>    
>>
>
>Sure. I'm quite certain I make a fool of myself to some degree in this 
>whole thread, and I've gotten used to it :-)
>
>  
>
Well, mainly it was more of my not wanting to type up 15 minutes of an 
email if it turned out that I was totally off the mark.  But I was 
correct in how I read what you were saying.

>This is a sample from the Quicktables script I posted earlier;
>
>Jan 24 11:00:12 krunch kernel: tcp connection: IN=lan0 OUT= 
>MAC=00:40:2b:38:4d:21:00:12:88:8d:2a:71:08:00 SRC=64.66.170.95 
>DST=192.168.1.65 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=8 DF PROTO=TCP 
>SPT=80 DPT=43456 WINDOW=0 RES=0x00 ACK RST URGP=0
>
>The website I visited is sending me an "ack rst" and these appear 
>unanimously blocked. During such blockage, service was a bit slower than 
>normal for this machine only.
>  
>

I have heard this explained to me.  Sadly, I have forgotten what the 
"answer" was.  But here is what I have.  The guy who explained it to me 
is out of touch at the moment so it wil take another week before I can 
get the rest of the answer.

The ACK RST is a strange packet.  The packet basically says, "I 
acknowledge that you have just closed my connection."  In TCP, the SYN 
packets are the start of a conversation, ACK packets are 
acknowledgements of things going on, and a RST is a termination packet.

During a TCP conversation, the firewall tracks it through a table in the 
NAT area of the kernel.  It knows every conversation going, and tracks 
which computer originated the conversation behind the natted interface. 
Your client has send a RST packet to the server.  Your firewall has seen 
the RST flow by, and says to itself, "This conversation is over" and it 
shuts down the NAT table for that conversation (this is a good thing).  
When the server recieves the RST, it decides to ge the last laugh in, 
and responds with an extra acknowledgement, a "ACK-RST"  (I acknowledge 
your "Reset").  By the time that final packet gets to your firewall, the 
firewall has shut down the conversation trail, and it treats that packet 
as if it were a new conversation of its own.

There is somethign you can do about it.  But I forget what.  It may be 
that you keep the conversation trail open for a brief second after it 
has stopped, or there is a special flag in the kernel for it...  
Actually, it might have been a kernek upgrade that solved the problem.

If it is worth it, I can get the answer in a week.  But, if nothing 
else, you can safely ignore the ACK-RST for now.

    - Tim Young

More information about the Christiansource mailing list