on 2006-03-30 at 12:25, Vladimir Zolotykh wrote: > Hi > > I'm new both to this mailing list and firewalls. > > I set up a simple firewall and SNAT using iptables. All works fine > except that sometimes I see the following in the /var/log/syslog > > Mar 30 08:54:23 dobby kernel: New not syn:IN= OUT=eth1 SRC=314.12.142.106 \ > DST=314.12.128.3 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=60918 DF PROTO=TCP \ > SPT=32804 DPT=119 WINDOW=31856 RES=0x00 ACK PSH FIN URGP=0 > > Could you please tell me what might be the probable reason for these > messages? The actual rule that produces them is > > > iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ > --log-prefix "New not syn:" > iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP >
New not syn means that from the iptables firewall's view, this is the first packet received in a NEW tcp session. All tcp sessions should start with a syn packet, but for some reason, the syn packet for this connection was not received. Lot's of reasons like dropped packet somewhere, asynchronous routing, out of order packets, flushing and restarting the firewall in the middle of a tcp session, etc. if it's valid traffic, tcp will handle this itself. when the sender notices you haven't replied to the syn packet, it will send it again eventually. -- phil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
