ACK PSH FIN Drops by Netfilter

To: debian-firewall@lists.debian.org
Subject: ACK PSH FIN Drops by Netfilter
From: Oliver Fritz <smoto@gmx.de>
Date: Tue, 09 Nov 2004 19:47:43 +0100
Message-id: <419110CF.8000407@gmx.de>

Hello,

I'm interested in solving the following problem:

I wrote netfilterrules for Kernel 2.4. Everythings works fine. Allwanted services are working properly, but anyway my global DROP ruledrops HTTP pacets in wich the options ACK PSH FIN are set. I don't knowif all pacets of that kind are dropped, but I oberserve quiete a lot ofthem. HTTP Traffic is about 5 MBit/sec and netfilter drops about 2pacets per second.Question: Why does netfilter does this? Is there a possibilty that theconntrack doesn't know these connections anymore? In which context arethese TCP options set?


Thx.

--
  ____  ______
 / __ \/ ____/	*** Dipl.-Inform. Oliver Fritz ***
/ / / / /_	phone:	+49 175 xxxxxxxx
/ /_/ / __/	mail:	oliver@oliver-fritz.de
\____/_/	WWW:	http://www.oliver-fritz.de

*** Life starts at 9000 RPM ***

Reply to:

Prev by Date: Re: Input rule to accept new SYN flag set packets
Next by Date: iptables mark target
Previous by thread: Request Complete
Next by thread: iptables mark target
Index(es):
- Date
- Thread