[8.980][QUESTION] Lots of dropped packages with RST as state.

Hi All,

I've opened some ports for bittorrent: 6881:7881 to be precise.

I have a DNAT on my WAN interface for those ports on TCP/UDP that forwards them to the pc in question.
I also have an exception that will alow the PC to connect to any port on the internet if it comes from the previously mentioned range (So 2 Different Service Objects)

This seems to work fine... however a lot of packets are dropped with a RST state, It seems harmless, but it's still annoying to see your log file up.

I also notice a lot of drops of ACK PSH FIN's on ActiveSync connections.
They remain open for a very long time. This could possibly be related.

Below is a small snipet that shows one from activesync and the others from torrents.

I probably made an error somewhere, but I'm not sure were since everything seems to work. ActiveSync randomy goes broken for a few minutes until a new connection is made, this is also annoying but not to bad.

17:16:11 	Default DROP 	TCP 	

91.121.217.18 	: 	443

	→ 	

91.176.70.98 	: 	60122

	

[ACK PSH FIN] 	len=803 	ttl=64 	tos=0x00 	srcmac=0:50:56:8:6b:a3

17:16:17 	Default DROP 	TCP 	

82.192.84.140 	: 	64628

	→ 	

188.165.142.66 	: 	7502

	

[RST] 	len=40 	ttl=57 	tos=0x00 	srcmac=ec:30:91:e0[:D]f:80 	dstmac=0:50:56:2:27:f3

17:16:19 	Default DROP 	TCP 	

46.59.99.187 	: 	51413

	→ 	

188.165.142.66 	: 	7507

	

[RST] 	len=40 	ttl=56 	tos=0x00 	srcmac=ec:30:91:e0[:D]f:80 	dstmac=0:50:56:2:27:f3

17:16:19 	Default DROP 	TCP 	

91.121.177.126 	: 	54377

	→ 	

188.165.142.66 	: 	7511

	

[RST] 	len=40 	ttl=60 	tos=0x00 	srcmac=ec:30:91:e0[:D]f:80 	dstmac=0:50:56:2:27:f3

17:16:21 	Default DROP 	TCP 	

72.211.230.125 	: 	51308

	→ 	

188.165.142.66 	: 	7508

	

[RST] 	len=40 	ttl=52 	tos=0x00 	srcmac=ec:30:91:e0[:D]f:80 	dstmac=0:50:56:2:27:f3

17:16:23 	Default DROP 	TCP 	

24.11.81.54 	: 	50010

	→ 	

188.165.142.66 	: 	7519

	

[RST] 	len=40 	ttl=51 	tos=0x00 	srcmac=ec:30:91:e0[:D]f:80 	dstmac=0:50:56:2:27:f3

0 kbr over 12 years ago

Can you please copy the relevant lines from the packet filter log instead? The live log isn't that appropriate...

Cheers,
Kai
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 sjorge over 12 years ago in reply to kbr

The log consist of mostly the following:
2012:06:25-00:00:21 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" - Pastebin.com

This is jsut a random selection, but more or less all the same range of ports 6881:7881

For the sake of completion,...
DNAT:

IPv6 In:

IPv4+IPv6 Out:
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BarryG over 12 years ago

Hi, I don't see anything specifically wrong, but a few comments:

1. Many of the packetfilter log entries are for other services; it would be more clear if you filtered it.

2. I'm not sure which is your IP in the log. Also, it would be wise to obfuscate part of your IP with x's.

3. 1000 ports seems excessive. I'm not familiar with Deluge, but uTorrent and Azuerus/Vuze only need 1 port.

Barry
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 sjorge over 12 years ago in reply to BarryG

1. Many of the packetfilter log entries are for other services; it would be more clear if you filtered it.

Here is a cleaner sample, I replace the IP's with something more descriptive

2012:06:26-11:55:37 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="57" srcport="63195" dstport="7273" tcpflags="RST" 

2012:06:26-11:55:39 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="59" srcport="60017" dstport="7275" tcpflags="RST" 

2012:06:26-11:55:41 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="59" srcport="61302" dstport="7292" tcpflags="RST" 

2012:06:26-11:55:41 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="51" srcport="50010" dstport="7290" tcpflags="RST" 

2012:06:26-11:55:43 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="60" srcport="52307" dstport="7305" tcpflags="RST" 

2012:06:26-11:55:43 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="60" srcport="52307" dstport="7299" tcpflags="RST" 

2012:06:26-11:55:46 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="52" srcport="51412" dstport="7317" tcpflags="RST" 

2012:06:26-11:55:46 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="57" srcport="51413" dstport="7320" tcpflags="RST" 

2012:06:26-11:55:55 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="46" srcport="49664" dstport="7346" tcpflags="RST" 

2012:06:26-11:56:03 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="59" srcport="57228" dstport="7375" tcpflags="RST" 

2012:06:26-11:56:08 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="49" srcport="54059" dstport="7388" tcpflags="RST" 

2012:06:26-11:56:11 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="51" srcport="51413" dstport="7406" tcpflags="RST" 

2012:06:26-11:56:11 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="52" srcport="51308" dstport="7400" tcpflags="RST" 

2012:06:26-11:56:17 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="57" srcport="64628" dstport="7423" tcpflags="RST" 

2012:06:26-11:56:17 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="52" srcport="51413" dstport="7420" tcpflags="RST" 

2012:06:26-11:56:32 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="61" srcport="57642" dstport="7463" tcpflags="RST" 

2012:06:26-11:56:33 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="59" srcport="57228" dstport="7466" tcpflags="RST" 

2012:06:26-11:56:33 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="61" srcport="51890" dstport="7468" tcpflags="RST" 

2012:06:26-11:56:33 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="61" srcport="61398" dstport="7472" tcpflags="RST" 

2012:06:26-11:56:36 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="61" srcport="57642" dstport="7480" tcpflags="RST" 

2012:06:26-11:56:36 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="61" srcport="57642" dstport="7478" tcpflags="RST" 

2012:06:26-11:56:36 osaka ulogd[4489]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="ga:te:wa:yn:ac:ad" dstmac="fw:ma:ca[:D]d:re:ss" srcip="rem.ote.ip.addr" dstip="my.ext.ip.addr" proto="6" length="40" tos="0x00" prec="0x00" ttl="61" srcport="57642" dstport="7482" tcpflags="RST"

2. I'm not sure which is your IP in the log. Also, it would be wise to obfuscate part of your IP with x's.

See above, since this is inbound traffic you can see the destport is withing the 6881:7881 range.

3. 1000 ports seems excessive. I'm not familiar with Deluge, but uTorrent and Azuerus/Vuze only need 1 port.

Yeah it is a lot, but there is nothing else on that IP aside from a VPN on port 443, so I saw no harm in giving deluge whatever the default range for outgoing and ingoing connections was.

0 kbr over 12 years ago

Sjorge,

can you please enable logging for the outbound packets too? I'd like to see whether these RST packets are due to a timeout our a protocol anomaly in Deluge... A (fitlered) tcpdump of one connection/connection attempt would also be helpful.

Cheers,
Kai
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 sjorge over 12 years ago in reply to kbr
captures files as asked for:
osaka:/root # cat cap.sh
tcpdump -s0 -w in.cap 'dst portrange 6881-7881' &
tcpdump -s0 -w out.cap 'src portrange 6881-7881' &

Just doing a 'portrange 6881-7881' only seemed to capture the in part.

http://dl.dropbox.com/u/87878979/astaro/in.cap
http://dl.dropbox.com/u/87878979/astaro/out.cap
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 kbr over 12 years ago
Hi Sjorge,

I really tried hard to get the two different dumps in sync, but it didn't work out...

can you please retry it with the following expression:
dst portrange 6881-7881 or src portrange 6881-7881

Thanks,
Kai
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

[8.980][QUESTION] Lots of dropped packages with RST as state.

Submitted a Tech Support Case lately from the Support Portal?