I use stateful firewall with things like: iptables --append INPUT -m state --state ESTABLISHED --jump ACCEPT
and a 'catch all' rule at the end which blocks everything. That rule often log entries like: Apr 4 11:47:14 soyouz kernel: Genice rule IN= OUT=eth0 SRC=80.67.162.6 DST=80.67.172.32 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=2940 PROTO=TCP SPT=25 DPT=1030 WINDOW=5840 RES=0x00 ACK PSH FIN URGP=0 Which are legitimate (80.67.162.6 is the mail server, it can send mail everywhere). I assume they are actually duplicated packets (see the FIN which means they are end packets), travelling too long and arriving after connection tracking deleted the TCP session information. So, no big deal, the mail server appears to work fine. 1) How to be sure of that? 2) Are there some parameters I could change to alter that behavior (increasing timeouts, for instance)? I found nothing on www.netfilter.org. Neither in $kernel/net/ipv4/netfilter/ip_conntrack_core.c.
