LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page What process sent packets dropped by firewall?
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-11-2005, 11:49 AM   #1
cherylchase
LQ Newbie
 
Registered: Dec 2004
Location: California
Distribution: RHEL3
Posts: 13

Rep: Reputation: 0
What process sent packets dropped by firewall?

I am running RHEL 3, with APF firewall on a dedicated server. This is a web server in a data center, so I have most things tightened up. No one is allowed to login to the machine but me (ssh). I have users who use http, https, pops, smtp, imap.

APF is dropping outgoing packets like these, and I would like to figure out how/why/by whom they are being sent. How can I get back from these /var/log/messages to the process?


Code:
Mar 11 07:26:28 roseland kernel: ** OUT_TCP DROP ** IN= OUT=eth0 SRC=67.18.50.202
DST=80.116.190.98 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=63778 DF PROTO=TCP SPT=80 
DPT=2038 WINDOW=5840 RES=0x00 ACK FIN URGP=0 

Mar 11 02:00:07 roseland kernel: ** OUT_UDP DROP ** IN= OUT=eth0 SRC=67.18.50.202 
DST=67.18.50.201 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=7 DF PROTO=UDP SPT=43196 
DPT=123 LEN=56 


Mar 11 08:40:10 roseland kernel: ** OUT_TCP DROP ** IN= OUT=eth0 SRC=67.18.50.202 
DST=213.217.51.3 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=42317 DF PROTO=TCP SPT=80 
DPT=62186 WINDOW=6432 RES=0x00 ACK URGP=0
 
Old 03-12-2005, 05:44 PM   #2
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,696

Rep: Reputation: 232Reputation: 232Reputation: 232
It looks they're sent by one machine. Is it the server one or another? SPT=80 means Apache probably (if it's using port 80). DPT=123 means time protocol. Maybe you're running a service that's trying to get time, but you block it?
 
Old 03-17-2005, 06:04 PM   #3
mcd
Member
 
Registered: Aug 2003
Location: Denver, CO
Distribution: CentOS, Debian
Posts: 825

Rep: Reputation: 33
maybe netstat -anp would help?
 
Old 03-18-2005, 05:36 AM   #4
this213
Member
 
Registered: Dec 2001
Location: ./
Distribution: Fedora, CentOS, RHEL, Gentoo
Posts: 167

Rep: Reputation: 34
There are 2 things going on here.

First, your firewall is dumping ACK and ACK FIN packets which your web server is sending out as part of the tcp/ip handshake. Look here:
http://www.vs.inf.ethz.ch/edu/WS0102...e-Diagram.html

The other entry is an ntp client on 67.18.50.202 trying to talk to ntp server on 67.18.50.201, you should probably add a rule to your firewall that allows this, or reconfigure your ntp client. I'm speaking of this rule:
Code:
Mar 11 02:00:07 roseland kernel: ** OUT_UDP DROP ** IN= OUT=eth0 SRC=67.18.50.202 
DST=67.18.50.201 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=7 DF PROTO=UDP SPT=43196 
DPT=123 LEN=56
 
Old 03-18-2005, 09:36 AM   #5
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Quote:
Originally posted by this213
First, your firewall is dumping ACK and ACK FIN packets which your web server is sending out as part of the tcp/ip handshake. Look here:
http://www.vs.inf.ethz.ch/edu/WS0102...e-Diagram.html
So why doesn't iptables pick these packets up as established or related to the new connection?
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I set my firewall to log all dropped(rejected) packets? abefroman Linux - Security 4 06-14-2005 09:37 PM
too much dropped packets...Hi.. alaios Linux - Networking 2 02-10-2005 04:49 AM
select() and dropped packets MrHenky Linux - Networking 0 02-04-2005 09:15 AM
Dropped packets - is this a problem?? benr77 Linux - General 4 10-04-2004 02:05 PM
dropped packets... sohmc Linux - Software 3 05-29-2003 09:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:45 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration