Strange rule

Hi !
I'm using Linux Mandrake 10.0 Community.
This is my shorewall's rules :

ACCEPT**net*****fw******udp*****22,111,635,1014,20 49,40411******-
ACCEPT**net*****fw******tcp*****22,111,638,1017,20 49,4080,17338,36819***-
ACCEPT**loc*****fw******udp*****22,111,635,1014,20 49,40411******-
ACCEPT**loc*****fw******tcp*****22,111,638,1017,20 49,4080,17338,36819***-

17338 is my custom port for the edonkey network, using mldonkey. Very often,
I'm receiving this kind of message in the netfilter logs :

Sep 26 13:57:25 pingouin kernel: Shorewall:newnotsyn:DROP:IN=eth0 OUT=
MAC=00:d0:70:01:ff:62:00:07:cb:06:1b:a0:08:00 SRC=82.255.55.48
DST=192.168.0.10 LEN=40 TOS=0x00 PREC=0x00 TTL=125 ID=61576 DF PROTO=TCP
SPT=3374 DPT=17338 WINDOW=65535 RES=0x00 ACK FINURGP=0

17338 is opened, so why this packet is dropped ?

I've already receive this answer :

#############################
In article <4156af4e$0$1840$626a14ce@news.free.fr>, Charles Flèche wrote:
>I'm receiving this kind of message in the netfilter logs :
>
>Sep 26 13:57:25 pingouin kernel: Shorewall:newnotsyn

Unknown packet - there is no previous conversation, but the packet
does not have the SYN bit set, trying to start the conversation.

>MAC=00:d0:70:01:ff:62:00:07:cb:06:1b:a0:08:00 SRC=82.255.55.48

LOCALLY (on your wire), the packet was being sent to 00:d0:70:01:ff:62

[compton ~]$ etherwhois 00:d0:70
00-D0-70***(hex)****************LONG*WELL*ELECTRONICS*CO RP.
00D070*****(base*16)************LONG*WELL*ELECTRON ICS*CORP.
********************************4F,*NO.*59-1,*TSAO*DI*WEI
********************************SHENGKENG*HSIANG,* TAIPEI*HSIEN
********************************TAIWAN*222*TAIWAN* 222*R.O.C.
[compton ~]$

and was sent from 00:07:cb:06:1b:a0

[compton ~]$ 00-07-CB***(hex)****************Freebox*SA
0007CB*****(base*16)************Freebox*SA
********************************24,*rue*Emile*Meni er
********************************75116*Paris
********************************FRANCE
[compton ~]$

I've no idea what that might be. The 08:00 says it's an IP datagram.
The 82.255.55.48 address belongs to ProXad. It's appearently in ADSL
service.

>DST=192.168.0.10 LEN=40 TOS=0x00 PREC=0x00 TTL=125 ID=61576 DF PROTO=TCP

The TTL=125 SUGGESTS the originating host is probably 3 hops away,

>17338 is opened, so why this packet is dropped ?

It's not part of an existing conversation.

>SPT=3374 DPT=17338 WINDOW=65535 RES=0x00 ACK FINURGP=0

It has the ACK bit set, The combination of window size and TTL suggests
the source is _might_be_ a Windows:2000 with service pack 4, or an XP box
with service pack 1. Don't know if that might be relevant.

Try posting to a newsgroup that has readers who are more aware of the
problem. Two examples would be comp.os.linux.security and
alt.os.linux.mandrake.****Most*of*the*readers*in*c omp.security.firewalls
are windoze people, and I had never even _heard of
alt.comp.networking.firewalls which seems to be nearly dead on my server.

********Old*guy
#############################

Freebox SA is my ADSL provider. There's rumor that they try to block port
where is to much traffic to break down p2p... Perhaps it's a mystery
manipulation for prevent me to download the latest knoppix... :-)

Do you know more ?

Thanx !

In article <415700f9$0$23939$626a14ce@news.free.fr>, Charles Flèche wrote:
>I'm receiving this kind of message in the netfilter logs :
>
>Sep 26 13:57:25 pingouin kernel: Shorewall:newnotsyn:

When a TCP connection is set up, the originating computer sends a packet
with the 'SYN' flag set, and suggests a 32 bit number that it will start
counting the bits sent. The peer makes note of this number, and sends
a return packet with the ACK flag (I acknowledge your SYN), and the SYN
flag set, and proposes it's own 32 bit number that is will start counting
the bits set, and sends back the originator's 32 bit number meaning "I
have received up to this bit number". The originating host then sends
an ACK and repeats the peers 32 bit number - I've received up to this bit
number. It _probably_ will also start sending some data - and the
conversation starts.

What the firewall is saying is that a new connection has appeared, but
there was no SYN flags set. Now if you look at THIS sentence, what has
happened is that the peer sent

'ppened is that the peer sent'

Where is the beginning? It is not here. If this was an existing
connection, perhaps it began a long time ago, and the firewall forgot
that there was a conversation. You would have to look at your logs
for that information. This might actually be more logical.

>Freebox SA is my ADSL provider. There's rumor that they try to block port
>where is to much traffic to break down p2p... Perhaps it's a mystery
>manipulation for prevent me to download the latest knoppix... :-)

I don't think so, but I'm not in France. Downloading one or several ISO
files, while it will be a lot of traffic, is not unusual. Many do this.
The host (82.255.55.48) that sent the packet is named
lns-vlq-20-82-255-55-48.adsl.proxad.net and the name does not look special
to me - I suspect that it's an ordinary ADSL host. ProXad did not SWIP the
block at RIPE, so there is no way to identify anything further.

Old guy