This is a cross pf/iptables related problem:
These are logs from linux servers with iptables, what I started getting
after I added openbsd fw (transparent bridge) to protect those servers
(DMZ):
INVALID: IN=eth0 OUT= MAC=<protected> SRC=<client ip> DST=<my server ip>
LEN=56 TOS=0x00 PREC=0x00 TTL=57 ID=60965 PROTO=ICMP TYPE=3 CODE=1 [SRC=<my
server ip> DST=<client gw> LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=41195 DF
PROTO=TCP INCOMPLETE [8 bytes] ]
INVALID: IN=eth0 OUT= MAC=<protected> SRC=<client ip> DST=<my server ip>
LEN=56 TOS=0x00 PREC=0x00 TTL=248 ID=7106 PROTO=ICMP TYPE=11 CODE=0 [SRC=<my
server ip> DST=<client gw> LEN=40 TOS=0x00 PREC=0x00 TTL=1 ID=30431 DF
PROTO=TCP INCOMPLETE [8 bytes] ]
Everything seems to work ok, but I don't understand those messages. What
causes those? The amount of those messages is high enough to consider that
the traffic in question is in fact all "legal", but somehow screwed by my pf
fw.
These are the rules in my OpenBSD 3.4 transparent bridge:
------------------------
server = "123.123.123.123"
server_tcp = "{ 22, 80, 443 }"
# Scrub (normalize) packets
scrub in on $ext_if all
scrub out on $ext_if all random-id
# Allow all on internal
pass quick on $int_if all
# Block and log all on external (default policy)
block log on $ext_if all
# Allow traffic out
pass out quick on $ext_if proto icmp from any to any keep state
pass out quick on $ext_if proto udp from any to any keep state
pass out quick on $ext_if proto tcp from any to any modulate state
# Allow traffic to server
pass in quick on $ext_if proto tcp from any to $server port $server_tcp \
flags S/SA modulate state
------------------------
These are the rules in my Linux webserver with iptables causing those
messages:
------------------------
### LOG and DROP invalid packets:
$IPT -A FLAGS -m state --state INVALID -m limit --limit 5/minute -j
LOG --log-level debug --log-prefix "INVALID: "
$IPT -A FLAGS -m state --state INVALID -j DROP
------------------------
Best regards,
++Toni
