[ale] iptables issue

Jim Popovitch jimpop at yahoo.com
Mon Jul 17 01:59:15 EDT 2006


JK wrote:
> Jim Popovitch wrote:
> 
>> JK wrote:
>>
>>> This appears to be a server-side "close connection"
>>> packet (FIN).  It may be that it's a
>>> re-send of a FIN that had been sent previously,
>>> and at the time it was put in the outgoing queue,
>>> the connection was still open. By the time it
>>> got into the filter, though, the client had
>>> replied to the earlier FIN and the connection was
>>> closed.  (This is just a hypothesis; I don't
>>> know whether the kernel's handling of closing
>>> connections would actually admit this behavior.)
>>
>> Interesting theory.   I checked the logs and sure enough every outbound 
>> block is a FIN.  So, is there a way to add a rule to just allow all 
>> outbound FINs?
> 
> iptables -A OUTPUT -p tcp --tcp-flags FIN -j ACCEPT
> 
> should do it.  I'm not 100% certain that's a good
> idea, but I can't think offhand of a way that
> rule could be abused. You may want to add
> '--sport http'.

Will try.  Again, Thank you.

-Jim P.




More information about the Ale mailing list