Re: outgoing SYN blocked even if it is allowed by ipf.rules

This is a discussion on Re: outgoing SYN blocked even if it is allowed by ipf.rules within the IPFilter forums, part of the System Security and Security Related category; El día Wednesday, July 25, 2007 a las 10:41:36AM -0700, Carson Gaspar escribió: > Matthias Apitz wrote: &...


Go Back   Usenet Forums > System Security and Security Related > IPFilter

Reload this Page Re: outgoing SYN blocked even if it is allowed by ipf.rules

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 07-26-2007
Matthias Apitz
 
Posts: n/a
Default Re: outgoing SYN blocked even if it is allowed by ipf.rules
El día Wednesday, July 25, 2007 a las 10:41:36AM -0700, Carson Gaspar escribió:

> Matthias Apitz wrote:
>
> >Now my VC tries (for some reason which I don't understand as well) to
> >initiate a new TCP session here:
> >
> >13:30:08.499026 IP 10.0.1.40.2546 > xxx.xxx.xxx.xxx.3233: S
> >49301289:49301289(0) ack 979701897 win 23360 <mss 536>
>
> No, it doesn't. That's a SYN+ACK, not a SYN. You haven't shown us the
> SYN packet.

Hello Carson,

Thanks for pointing that out; I did not realized the 'ack' flag and was
only focused on the 'S'; it is now clear why the pkg can not pass the
IPF firewall;

but it remains a question; I collected all the traffic for the IP
10.0.1.40 and this is what was captured:

13:30:07.989088 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: S 356680283:356680283(0) win 8192 <mss 1460>
13:30:07.994005 IP 10.0.1.40.1720 > xxx.xxx.xxx.xxx.3232: S 85446234:85446234(0) ack 356680284 win 23360 <mss 536>
13:30:08.153383 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: . ack 1 win 8192
13:30:08.153391 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: P 1:5(4) ack 1 win 8192
13:30:08.154131 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: P 5:222(217) ack 1 win 8192
13:30:08.182341 IP 10.0.1.40.1720 > xxx.xxx.xxx.xxx.3232: P 1:104(103) ack 222 win 23139
13:30:08.320937 IP 10.0.1.40.1720 > xxx.xxx.xxx.xxx.3232: P 104:242(138) ack 222 win 23139
13:30:08.346463 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: . ack 104 win 8093
13:30:08.494931 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: . ack 242 win 8058
13:30:08.499026 IP 10.0.1.40.2546 > xxx.xxx.xxx.xxx.3233: S 49301289:49301289(0) ack 979701897 win 23360 <mss 536>
...

Why 10.0.1.40 sends out a SYN to the remote side having 'ack' turned on
and having set the destination port to n+1 of the source port of the
established connection? Do you have an idea about?

Thanks again for your help.

matthias
--
Matthias Apitz
Manager Technical Support - OCLC PICA GmbH
Gruenwalder Weg 28g - 82041 Oberhaching - Germany
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e <m.apitz@oclcpica.org> - w http://www.oclcpica.org/ http://www.UnixArea.de/
b http://gurucubano.blogspot.com/
OCLC PICA GmbH, Geschaeftsfuehrer: Christine Magin-Weeger, Norbert Weinberger
Sitz der Gesellschaft: Oberhaching, HRB Muenchen: 113261
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 04:40 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0