Re: outgoing SYN blocked even if it is allowed by ipf.rules

Wed, 25 Jul 2007 22:39:14 -0700 

El día Wednesday, July 25, 2007 a las 10:41:36AM -0700, Carson Gaspar escribió:

> Matthias Apitz wrote:
> 
> >Now my VC tries (for some reason which I don't understand as well) to
> >initiate a new TCP session here:
> >
> >13:30:08.499026 IP 10.0.1.40.2546 > xxx.xxx.xxx.xxx.3233: S 
> >49301289:49301289(0) ack 979701897 win 23360 <mss 536>
> 
> No, it doesn't. That's a SYN+ACK, not a SYN. You haven't shown us the 
> SYN packet.

Hello Carson,

Thanks for pointing that out; I did not realized the 'ack' flag and was
only focused on the 'S'; it is now clear why the pkg can not pass the
IPF firewall;

but it remains a question; I collected all the traffic for the IP
10.0.1.40 and this is what was captured:

13:30:07.989088 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: S 
356680283:356680283(0) win 8192 <mss 1460>
13:30:07.994005 IP 10.0.1.40.1720 > xxx.xxx.xxx.xxx.3232: S 
85446234:85446234(0) ack 356680284 win 23360 <mss 536>
13:30:08.153383 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: . ack 1 win 8192
13:30:08.153391 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: P 1:5(4) ack 1 win 
8192
13:30:08.154131 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: P 5:222(217) ack 1 
win 8192
13:30:08.182341 IP 10.0.1.40.1720 > xxx.xxx.xxx.xxx.3232: P 1:104(103) ack 222 
win 23139
13:30:08.320937 IP 10.0.1.40.1720 > xxx.xxx.xxx.xxx.3232: P 104:242(138) ack 
222 win 23139
13:30:08.346463 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: . ack 104 win 8093
13:30:08.494931 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: . ack 242 win 8058
13:30:08.499026 IP 10.0.1.40.2546 > xxx.xxx.xxx.xxx.3233: S 
49301289:49301289(0) ack 979701897 win 23360 <mss 536>
        ...

Why 10.0.1.40 sends out a SYN to the remote side having 'ack' turned on
and having set the destination port to n+1 of the source port of the
established connection? Do you have an idea about?

Thanks again for your help.

        matthias
-- 
Matthias Apitz
Manager Technical Support - OCLC PICA GmbH
Gruenwalder Weg 28g - 82041 Oberhaching - Germany
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e <[EMAIL PROTECTED]> - w http://www.oclcpica.org/ http://www.UnixArea.de/
b http://gurucubano.blogspot.com/
OCLC PICA GmbH, Geschaeftsfuehrer: Christine Magin-Weeger, Norbert Weinberger
Sitz der Gesellschaft: Oberhaching, HRB Muenchen: 113261

Reply via email to