Mailinglist Archive: opensuse-security (88 mails)

< Previous Next >
Re: [suse-security] Firewall denying outgoing connections?
  • From: "Carlos E. R." <robin1.listas@xxxxxxxxxx>
  • Date: Sat, 15 Apr 2006 01:18:20 +0200 (CEST)
  • Message-id: <Pine.LNX.4.61.0604150108460.15089@xxxxxxxxxxxxxxxx>
Hash: SHA1

The Saturday 2006-04-15 at 00:49 +0200, Joe Knall wrote:

> let me try to give you a hint though I'm not an expert on SuSEfirewall2.

Ok :-)

> On Freitag, 14. April 2006 17:06 Carlos E. R. wrote:
> > What causes this error in the firewall?
> >
> > Apr 14 17:03:37 nimrodel kernel: SFW2-OUT-ERROR IN= OUT=eth0
> > SRC= DST= LEN=40 TOS=0x08 PREC=0x00 TTL=64
> > ID=53126 DF PROTO=TCP SPT=6881 DPT=4712 WINDOW=32767 RES=0x00 ACK
> > URGP=0
> The log tells you that your client (SRC=, SPT=6881) sends
> somehow invalid answers (ACK) to a machine on the internet
> (DST=, DPT=4712, tcp).

Ah. That is starting to make some sense.

> Why ERROR, not DROP?
> As far as I can see SuSEfirewall2 doesn't block any outgoing connections
> - your machine may connect wherever.
> In /sbin/SuSEfirewall2 is exactly one place that produces this ERROR log
> (lines 1104-1105, suse 9.3):
> $iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED
> $iptables -A OUTPUT -j LOG ${LOG}"-OUT-ERROR "
> A packet which is not in NEW,ESTABLISHED,RELATED must be invalid
> somehow, it's not handled by the first line but the second. But it
> doesn't seem to be dropped afterwards, only logged as ERROR!
> The immediately next three lines say:
> # we want to let locally generated packets out since our task is not
> # to protect the world from us, but protect us from the world ;)
> # policy is ACCEPT $iptables -A OUTPUT -j ACCEPT
> So your problem probably has nothing to do with the firewall itself but
> the client or something in between (invalid packets).

Well, it logged about a dozen or more of such to the same machine; the
error is occasional, but when it happens, it is repeatable. It is not
related to only one client, because previously I saw it when browsing with
Mozilla, now and then, and now I see it with BitTorrent-4.0.2-3.1, but
many. It may be related to something wrong deep somewhere in the kernel or
glibc or who knows.

> Apart from this your last paragraph shows some essential
> misunderstanding:
> > port 6881 is allowed entry in the config:
> >
> > FW_SERVICES_EXT_TCP="6881:6889"
> This has _nothing_ to do with the above.

I know, I know. I only added the reference to that for completeness, just
in case.

- --
Carlos Robinson
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Made with pgp4pine 1.76


< Previous Next >