On Thu, 2018-09-06 at 20:11 +0100, Tom Eastep wrote: > > I suspect that is exactly what they are. Their logging was previously > suppressed by the NotSyn action invoked out of the Drop action.
The NotSyn action did not take into account current (or recent) TCP connections though did it? Was it just dropping these sorts of packets arbitrarily and would drop them even if they were sent randomly, unassociated with any (prior) existing TCP session? It seems what is needed here is a tunable/option to iptables' conntrack module to maintain the state of closed TCP sessions around for "a while" to eat up these kinds of laggard packets. Does that seem reasonable, albeit beyond the scope of Shorewall, strictly speaking? An RFE for iptables to be clear. Cheers, b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users