[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: explanation of blocked packets
On Thu, Mar 31, 2005 at 02:12:12PM +0100, Bob wrote:
> [email protected] wrote:
> > Why are the following packets being blocked? I know that I have flags
> > S/SA modulate state, and that F or FP do not match S/SA, but does that
> > matter since its in state?
> If I remember correctly, S/SA means "only accept flags where out of S
> and A, only S is set". I.e. that pattern is only checking the S and A
> flags, and couldn't care less about F or P.
> However, in the packets that seem blocked, the S flag is not set, so
> those packets will not pass the rule you have to allow stuff out of
> $ext_if, and the last rule to match will be rule 0/0, which you have set
> to "block log-all all".
> You should find out what is creating the packets you see, and determine
> why they are not setting the S flag.
> Once a session has begun, the return packet, and all further reply
> packets for that session, should be automatically allowed in/out because
> you have turned on stateful inspection for outgoing packets. So the
> packets you see blocked are likely the first packets with the
> destination and source address that you see in the log. Why they don't
> have the S flag set, I'm not sure.
The mail server is postfix. Basically, S/SA is for initiating the connection, and after its added to the state, it shouldn't matter what flags are passed.
You are thinking these packets with F and FP are initial packets for a new connection?
I am not so sure about that.