Re: outgoing SYN blocked even if it is allowed by ipf.rules

This is a discussion on Re: outgoing SYN blocked even if it is allowed by ipf.rules within the IPFilter forums, part of the System Security and Security Related category; El día Wednesday, July 25, 2007 a las 11:48:27PM -0700, Phil Dibowitz escribió: > Matthias Apitz wrote: &...


Go Back   Usenet Forums > System Security and Security Related > IPFilter

Reload this Page Re: outgoing SYN blocked even if it is allowed by ipf.rules

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 07-26-2007
Matthias Apitz
 
Posts: n/a
Default Re: outgoing SYN blocked even if it is allowed by ipf.rules
El día Wednesday, July 25, 2007 a las 11:48:27PM -0700, Phil Dibowitz escribió:

> Matthias Apitz wrote:
> > Phil, I'm talking about this pkg (the very last one in my posting from
> > today):
> >
> > 13:30:08.499026 IP 10.0.1.40.2546 > xxx.xxx.xxx.xxx.3233: S 49301289:49301289(0) ack 979701897 win 23360 <mss 536>
>
> I misunderstood, sorry. This packet is not part of the same connection as
> the rest of the packets in your output. Both the source and destination
> ports don't match, nor do the sequence or ack numbers. That's a SYN+ACK to
> some _other_ SYN not shown in your output. That's why Carson pointed out
> that you didn't include the relevant SYN.

But there was no _other_ SYN, really; and I've checked again the tcpdump
output; I was sitting on the firewall host itself and did a

# tcpdump -i em0 -n host 10.0.1.40 > 10.0.1.40.tcp

and the file does only contain the sequence I already send twice;
also the 'ipmon' log in /var/log/messages says about that:

Jul 25 13:30:08 cazador ipmon[362]: 13:30:07.989080 em1 @0:74 p xxx.xxx.xxx.xxx,3232 -> 10.0.1.40,1720 PR tcp len 20 44 -S K-S IN NAT
Jul 25 13:30:09 cazador ipmon[362]: 13:30:08.499067 em1 @0:111 b 10.0.1.40,2546 -> xxx.xxx.xxx.xxx,3233 PR tcp len 20 44 -AS OUT

i.e. the 1st line logs the passing of the SYN for the connection
xxx.xxx.xxx.xxx.3232 -> 10.0.1.40,1720 and the next line shows already
the blocked SYN+ACK package and there is no line between showing
another passed SYN for xxx.xxx.xxx.xxx,3233 -> 10.0.1.40.2546

The problem is that the 10.0.1.40 is connected to a switch; I will
put in some hub to plug-in my laptop directly next to 10.0.1.40 to
see what traffic is arriving at the NIC of 10.0.1.40; at least
in the firewall (10.0.1.136) there was no other SYN to see;
sorry;

but in any case, thanks for all the feedback;

matthias
--
Matthias Apitz
Manager Technical Support - OCLC PICA GmbH
Gruenwalder Weg 28g - 82041 Oberhaching - Germany
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e <m.apitz@oclcpica.org> - w http://www.oclcpica.org/ http://www.UnixArea.de/
b http://gurucubano.blogspot.com/
OCLC PICA GmbH, Geschaeftsfuehrer: Christine Magin-Weeger, Norbert Weinberger
Sitz der Gesellschaft: Oberhaching, HRB Muenchen: 113261
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 06:38 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0