[opensuse-security] SuSEfirewall2 SFW2-OUT-ERROR messages
Hi there, after having some problems to reach some web sites I found some messages in /var/log/firewall which all look like this: Sep 1 15:54:38 linux kernel: SFW2-OUT-ERROR IN= OUT=dsl0 SRC=84.172.xxx.xx DST=205.188.234.120 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=16961 DF PROTO=TCP SPT=29084 DPT=80 WINDOW=1954 RES=0x00 ACK FIN URGP=0 OPT (0101080A001FDE00356C0128) 205.188.234.120 wich could not be reached is a Shoutcast machine. I wonder why SuSEfirewall2 has blocked this. I use a standard configuration, a DSL modem connected to eth0, OS is SuSE Linux 10.0. /etc/sysconfig/SuSEfirewall2 is left untouched, mainly only improtant things are set like FW_DEV_EXT="any dsl0 eth-id-00:30:84:75:fa:56 ippp0 ppp0" Do you have any idea where this comes from? TIA Malte --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Am Sonntag, 2. September 2007 22:26 schrieb Malte Gell:
after having some problems to reach some web sites I found some messages in /var/log/firewall which all look like this:
Sep 1 15:54:38 linux kernel: SFW2-OUT-ERROR IN= OUT=dsl0 SRC=84.172.xxx.xx DST=205.188.234.120 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=16961 DF PROTO=TCP SPT=29084 DPT=80 WINDOW=1954 RES=0x00 ACK FIN URGP=0 OPT (0101080A001FDE00356C0128)
205.188.234.120 wich could not be reached is a Shoutcast machine. I wonder why SuSEfirewall2 has blocked this.
I doubt that SFW2 blocked the connection to 205.188.234.120. Why? 1. your log entry is just a log entry. See "iptables -nvL OUTPUT", the rule causing SFW2-OUT-ERRORs goes to LOG. This is a "non-terminating target" and the default policy is ACCEPT. Hence, no block just log. 2. the packet catched by the log entry is ACK FIN. Such packets belong to the TCP teardown and will terminate a TCP connection. Thus, the SWF2 just blocked a termination, not a connection attempt.
[...]. Do you have any idea where this comes from?
For me it looks like iptables assumes that the connection was already closed and, thus, has left the ESTABLISHED state. Consequently, the rule in OUTPUT chain that catches packets of state NEW,RELATED,ESTABLISHED is not hit. Perhaps the entry in the connection tracking table (see /proc/net/ip_conntrack) already expired due to a timeout. This makes sense, if you actually had problems to reach a destination. After a while your computer tries to close the never completely established connection of that iptables is no longer aware of. Sorry, no better explanation available. :-/ Gruß Jan -- The person who knows everything has a lot to learn. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (2)
-
Jan Ritzerfeld
-
Malte Gell