Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 30 replies
  • Subscribers 2 subscribers
  • Views 49534 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FW dropping ACK, RST/ACK & FIN/ACK packets though packets are from valid sessions

Jim Tagert
Does the ASG function in this manner?

When the firewall receives a TCP RST for an existing session it immediately clears the session from the session table. This means there is no longer a valid session for the TCP RST/ACK to pass through. Hence, the firewall will treat the TCP RST/ACK as a non-SYN first packet and drop it.



Thanks,

Jim


This thread was automatically locked due to age.
Parents
  • 0
    I've re-added my PF rule:
    source: ANY
    service: HTTP
    dest: ANY (also tried LAN)
    DROP (without logging)

    However, this isn't making a difference... I still have over 300k log entries per day like: 

    2010:02:22-15:58:56 (none) ulogd[2724]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" dstmac="00:06:5b:04:bd:2f" srcmac="00:13:1a:66:e0:00" srcip="random.ip.addr" dstip="one.of.our.external.ip.addresses" proto="6" length="40" tos="0x00" prec="0x00" ttl="241" srcport="1198" dstport="80" tcpflags="ACK RST"

    and

    2010:02:22-15:58:57 (none) ulogd[2724]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" dstmac="00:06:5b:04:bd:2f" srcmac="00:13:1a:66:e0:00" srcip="random.ip.addr" dstip="one.of.our.external.ip.addresses"  proto="6" length="40" tos="0x00" prec="0x00" ttl="119" srcport="59067" dstport="80" tcpflags="ACK FIN"

    I'll open a support case too.

    Barry
Reply
  • 0
    I've re-added my PF rule:
    source: ANY
    service: HTTP
    dest: ANY (also tried LAN)
    DROP (without logging)

    However, this isn't making a difference... I still have over 300k log entries per day like: 

    2010:02:22-15:58:56 (none) ulogd[2724]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" dstmac="00:06:5b:04:bd:2f" srcmac="00:13:1a:66:e0:00" srcip="random.ip.addr" dstip="one.of.our.external.ip.addresses" proto="6" length="40" tos="0x00" prec="0x00" ttl="241" srcport="1198" dstport="80" tcpflags="ACK RST"

    and

    2010:02:22-15:58:57 (none) ulogd[2724]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" dstmac="00:06:5b:04:bd:2f" srcmac="00:13:1a:66:e0:00" srcip="random.ip.addr" dstip="one.of.our.external.ip.addresses"  proto="6" length="40" tos="0x00" prec="0x00" ttl="119" srcport="59067" dstport="80" tcpflags="ACK FIN"

    I'll open a support case too.

    Barry
Children
No Data
Cookie Information Banner