[Firehol-support] Lots of INVALID OUT ... ACK RST errors?
Tsaousis, Costa
costa at tsaousis.gr
Tue Mar 24 14:15:38 CET 2015
Hi Rich,
as the log says, the packets logged are considered as INVALID by the
connection tracker.
INVALID are the packets that linux kernel considers as not part of
existing connections. They might have been part of a connection in the
past, but at the time they arrived they are not part of an existing
connection any more. This may also happen because the connection
tracker monitors all traffic and have already decided to cleanup the
specific connection.
Normally you can ignore INVALID packets.
You can disable their logging in FireHOL by setting FIREHOL_LOG_DROP_INVALID=0
Logging INVALID packets Is is by default enabled, to help
administrators troubleshoot firewall setup problems.
If you believe the kernel connection tracker is wrong (very unlikely)
you can allow these packets to flow by setting FIREHOL_DROP_INVALID=0
Costa
On Tue, Mar 24, 2015 at 2:48 PM, Rich <forums at artfulrobot.uk> wrote:
>
>
> Hello again,
>
> I've firewalled a machine that runs the Dropbox daemon, which needs to
> access internet servers over https.
>
> I have this pertinent bit of config:
>
> interface4 eth1 interweb src not "${UNROUTABLE_IPS}" dst "$MY_IPS"
> policy drop
> protection strong
> client all accept
>
> I'm getting lots of these:
>
> INVALID OUT:IN= OUT=eth1 SRC=10.67.5.1 DST=108.160.166.61 LEN=52
> TOS=0x00 PREC=0x00 TTL=64 ID=33439 DF PROTO=TCP SPT=38350 DPT=443
> WINDOW=1813 RES=0x00 ACK RST URGP=0
>
> I'm running from d614fd7558. 10.67.5.1 is the server's LAN IP (listed in
> $MY_IPS), the other IP belongs to Dropbox. This is the only service that
> the server regularly accesses as a client, so I doubt this is specific
> to the Dropbox servers. The other config mostly covers other firehol
> interfaces, there's a tun0 interface and routing is accepted both ways
> between this and eth1. Other than that the only other line is a snat one
> limited to traffic being sent to the local LAN, so this would not apply
> to the sort of packets I'm seeing errors about.
>
> Any advice gratefully appreciated,
>
> Rich
>
>
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support
More information about the Firehol-support
mailing list