[Firehol-support] FIREHOL_DROP_ORPHAN_TCP_ACK_FIN

Costa Tsaousis costa at tsaousis.gr
Sat Dec 1 01:20:03 GMT 2007 

Daniel Goering wrote:
> Hi,
>
> I use FireHOL 1.250
>
> recently I added the line
>
> 	FIREHOL_DROP_ORPHAN_TCP_ACK_FIN=1
>
> to my config to reduce the log output.The flag causes a lot of rule to
> be generated like the following one
>
> 	DROP       tcp  --  *      *       0.0.0.0/0
> 		0.0.0.0/0           state NEW tcp flags:0x3F/0x11
>
> but these rules don't seem to work. All of them have a package count of
> 0 and I still see a lot of output in my logfiles like
>
> 	PASS-unknown:IN=eth0 OUT=ppp0 SRC=xxx.xxx.xxx.xxx
> 		DST=yyy.yyy.yyy.yyy LEN=40 TOS=0x00 PREC=0x00 TTL=63
> 		ID=45340 DF PROTO=TCP SPT=XXX DPT=YYY WINDOW=16296
> 		RES=0x00 ACK FIN URGP=0
>
> Is there something wrong with my configuration or with the way FireHOL
> checks for ACK FIN?
>
> Cheers
> 	Daniel
>
>   
Daniel,

Probably the connection tracker has not marked these packets with state NEW.
Which kernel version are you running?


I cannot test this, but maybe you can:

1. If you can edit your firehol, there are 3 blocks of code like the 
following (just search for FIREHOL_DROP_ORPHAN_TCP_ACK_FIN and you will 
find them):

        if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
        then
                  # Silently drop orphan TCP/ACK FIN packets
                rule chain "in_${work_name}" state NEW proto tcp custom 
"--tcp-flags ALL ACK,FIN" action DROP || return 1
                rule reverse chain "out_${work_name}" state NEW proto 
tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
        fi

You will find them in the functions: close_interface(), close_router() 
and close_master().
Note that the above code is an example. The 3 blocks are not the same 
with each other (so don't copy the above or anything between them).
Just delete the words "state NEW" from all the rules inside these blocks 
(don't change anything else).

Restart firehol and see if there will be any logs with FIN,ACK.

2. If you cannot modify firehol, I can modify the latest CVS version and 
send it to you to test it.

Please report if this solves the problem.

Costa

More information about the Firehol-support mailing list