[Firehol-support] Strange problem...

Sim simvirus at gmail.com
Mon Dec 15 09:18:46 CET 2008 

>
> Although I suggest to google a bit for it for a better explanation, keep in
> mind that I have never encountered a single case where the iptables
> connection tracker did wrong.
>
> Costa
>

Hi Costa!
Thanks for your reply.

The application in question isn't opensource and I can't directly investigate.
I will try to contact the manufacturer.

I do not know if it is a similar problem, but I find this log in
another server (like others Ubuntu 8.04 Server with Firehol)

Dec 14 17:06:22 lan kernel: [353715.165114] 'PASS-unknown:'IN=eth1
OUT=ppp0 SRC=192.168.0.200 DST=72.32.64.173 LEN=40 TOS=0x00 PREC=0x00
TTL=127 ID=27356 DF PFIN URGP=0
Dec 14 17:06:39 lan kernel: [353732.093909] 'PASS-unknown:'IN=eth1
OUT=ppp0 SRC=192.168.0.200 DST=72.32.64.173 LEN=40 TOS=0x00 PREC=0x00
TTL=127 ID=27585 DF PFIN URGP=0
Dec 14 17:07:13 lan kernel: [353765.624012] 'PASS-unknown:'IN=eth1
OUT=ppp0 SRC=192.168.0.200 DST=72.32.64.173 LEN=40 TOS=0x00 PREC=0x00
TTL=127 ID=27652 DF PFIN URGP=0
Dec 14 17:20:20 lan kernel: [354552.107523] 'PASS-unknown:'IN=eth1
OUT=ppp0 SRC=192.168.0.200 DST=72.32.64.173 LEN=40 TOS=0x00 PREC=0x00
TTL=127 ID=32555 DF PFIN URGP=0
[..]
Dec 15 08:39:46 lan kernel: [409639.042216] 'PASS-unknown:'IN=eth1
OUT=ppp0 SRC=192.168.0.200 DST=72.32.64.169 LEN=40 TOS=0x00 PREC=0x00
TTL=127 ID=64142 DF PROTO=TCP SPT=52298 DPT=80 WINDOW=64860 RES=0x00
ACK FIN URGP=0
Dec 15 08:42:23 lan kernel: [409796.142377] 'PASS-unknown:'IN=eth1
OUT=ppp0 SRC=192.168.0.67 DST=209.85.143.99 LEN=40 TOS=0x00 PREC=0x00
TTL=127 ID=1641 DF PROTO=TCP SPT=49211 DPT=443 WINDOW=0 RES=0x00 ACK
RST URGP=0
Dec 15 08:42:23 lan kernel: [409796.142524] 'PASS-unknown:'IN=eth1
OUT=ppp0 SRC=192.168.0.67 DST=209.85.143.99 LEN=40 TOS=0x00 PREC=0x00
TTL=127 ID=1642 DF PROTO=TCP SPT=49209 DPT=443 WINDOW=0 RES=0x00 ACK
RST URGP=0
Dec 15 08:43:31 lan kernel: [409863.862562] 'PASS-unknown:'IN=eth1
OUT=ppp0 SRC=192.168.0.67 DST=66.249.91.104 LEN=40 TOS=0x00 PREC=0x00
TTL=127 ID=1645 DF PROTO=TCP SPT=49213 DPT=80 WINDOW=16445 RES=0x00
ACK FIN URGP=0
Dec 15 08:43:31 lan kernel: [409864.153426] 'PASS-unknown:'IN=eth1
OUT=ppp0 SRC=192.168.0.67 DST=66.249.91.104 LEN=40 TOS=0x00 PREC=0x00
TTL=127 ID=1650 DF PROTO=TCP SPT=49213 DPT=80 WINDOW=16445 RES=0x00
ACK FIN URGP=0
Dec 15 08:43:32 lan kernel: [409864.760979] 'PASS-unknown:'IN=eth1
OUT=ppp0 SRC=192.168.0.67 DST=66.249.91.104 LEN=40 TOS=0x00 PREC=0x00
TTL=127 ID=1651 DF PROTO=TCP SPT=49213 DPT=80 WINDOW=16445 RES=0x00
ACK FIN URGP=0
Dec 15 08:43:33 lan kernel: [409865.960479] 'PASS-unknown:'IN=eth1
OUT=ppp0 SRC=192.168.0.67 DST=66.249.91.104 LEN=40 TOS=0x00 PREC=0x00
TTL=127 ID=1652 DF PROTO=TCP SPT=49213 DPT=80 WINDOW=16445 RES=0x00
ACK FIN URGP=0
Dec 15 08:43:35 lan kernel: [409868.359507] 'PASS-unknown:'IN=eth1
OUT=ppp0 SRC=192.168.0.67 DST=66.249.91.104 LEN=40 TOS=0x00 PREC=0x00
TTL=127 ID=1653 DF PROTO=TCP SPT=49213 DPT=80 WINDOW=16445 RES=0x00
ACK FIN URGP=0
Dec 15 08:43:40 lan kernel: [409873.157524] 'PASS-unknown:'IN=eth1
OUT=ppp0 SRC=192.168.0.67 DST=66.249.91.104 LEN=40 TOS=0x00 PREC=0x00
TTL=127 ID=1654 DF PROTO=TCP SPT=49213 DPT=80 WINDOW=16445 RES=0x00
ACK FIN URGP=0
Dec 15 08:43:50 lan kernel: [409882.753625] 'PASS-unknown:'IN=eth1
OUT=ppp0 SRC=192.168.0.67 DST=66.249.91.104 LEN=40 TOS=0x00 PREC=0x00
TTL=127 ID=1656 DF PROTO=TCP SPT=49213 DPT=80 WINDOW=0 RES=0x00 ACK
RST URGP=0



This is the config:

####################################################################

ip_www="x.x.x.x" <- my static ip

snat to "${ip_www}" outface ppp+

interface ppp+ www2fw dst "${ip_www}"

        policy drop

        protection strong

        server ICMP accept
        server "ssh" accept

        client all accept

interface eth1 lan2fw src "192.168.0.0/24" dst "192.168.0.1"

        policy drop

        server "all" accept

        client all accept

router www2lan inface ppp+ outface eth1 dst "192.168.0.0/24"

        protection strong

router ext2www inface eth1 outface ppp+ src "192.168.0.0/24"

        route all accept

####################################################################

Why "PASS-unknown"  ?

I have also tried with:

>> iptables -t mangle -o "ppp+" --insert FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu

or

>> tcpmss auto

without resolutions.


Thanks again Costa

Best regards

---
Sim

More information about the Firehol-support mailing list