[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: explanation of blocked packets



On Thu, Mar 31, 2005 at 02:12:12PM +0100, Bob wrote:
> [email protected] wrote:
> > Why are the following packets being blocked?  I know that I have flags
> > S/SA modulate state, and that F or FP do not match S/SA, but does that
> > matter since its in state?
> 
> If I remember correctly, S/SA means "only accept flags where out of S 
> and A, only S is set". I.e. that pattern is only checking the S and A 
> flags, and couldn't care less about F or P.
> 
> However, in the packets that seem blocked, the S flag is not set, so 
> those packets will not pass the rule you have to allow stuff out of 
> $ext_if, and the last rule to match will be rule 0/0, which you have set 
> to "block log-all all".
> 
> You should find out what is creating the packets you see, and determine 
> why they are not setting the S flag.
> 
> Once a session has begun, the return packet, and all further reply 
> packets for that session, should be automatically allowed in/out because 
> you have turned on stateful inspection for outgoing packets. So the 
> packets you see blocked are likely the first packets with the 
> destination and source address that you see in the log. Why they don't 
> have the S flag set, I'm not sure.
> -- 
> Bob
> 
The mail server is postfix.  Basically, S/SA is for initiating the connection, and after its added to the state, it shouldn't matter what flags are passed.
You are thinking these packets with F and FP are initial packets for a new connection?
I am not so sure about that.