-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2006-04-15 at 00:49 +0200, Joe Knall wrote:
let me try to give you a hint though I'm not an expert on SuSEfirewall2.
Ok :-)
On Freitag, 14. April 2006 17:06 Carlos E. R. wrote:
What causes this error in the firewall?
Apr 14 17:03:37 nimrodel kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.12 DST=85.85.72.60 LEN=40 TOS=0x08 PREC=0x00 TTL=64 ID=53126 DF PROTO=TCP SPT=6881 DPT=4712 WINDOW=32767 RES=0x00 ACK URGP=0
The log tells you that your client (SRC=192.168.1.12, SPT=6881) sends somehow invalid answers (ACK) to a machine on the internet (DST=85.85.72.60, DPT=4712, tcp).
Ah. That is starting to make some sense.
Why ERROR, not DROP? As far as I can see SuSEfirewall2 doesn't block any outgoing connections - your machine may connect wherever.
In /sbin/SuSEfirewall2 is exactly one place that produces this ERROR log (lines 1104-1105, suse 9.3): $iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED $iptables -A OUTPUT -j LOG ${LOG}"-OUT-ERROR "
A packet which is not in NEW,ESTABLISHED,RELATED must be invalid somehow, it's not handled by the first line but the second. But it doesn't seem to be dropped afterwards, only logged as ERROR! The immediately next three lines say: # we want to let locally generated packets out since our task is not # to protect the world from us, but protect us from the world ;) # policy is ACCEPT $iptables -A OUTPUT -j ACCEPT
So your problem probably has nothing to do with the firewall itself but the client or something in between (invalid packets).
Well, it logged about a dozen or more of such to the same machine; the error is occasional, but when it happens, it is repeatable. It is not related to only one client, because previously I saw it when browsing with Mozilla, now and then, and now I see it with BitTorrent-4.0.2-3.1, but many. It may be related to something wrong deep somewhere in the kernel or glibc or who knows.
Apart from this your last paragraph shows some essential misunderstanding:
port 6881 is allowed entry in the config:
FW_SERVICES_EXT_TCP="6881:6889"
This has _nothing_ to do with the above.
I know, I know. I only added the reference to that for completeness, just in case. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFEQC2+tTMYHG2NR9URAsomAJ9QvB9wvAn161Al6IWnuBzaIdfKxACfRcv+ MsH0VzlHwgt/gMco7R2zBYE= =xEAH -----END PGP SIGNATURE-----