Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 1622 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Please help me: FW config issue FW dropping ACKs

x-cimo
I changed something (not sure what) which caused the following issue:

I get a lot of Default DROP on ACK and ACK PSH being dropped.

So what happen is I stuff a website, the webpage load with alot of out-of-order and DUP packet, and i get this in the live log:

18:29:24  Default DROP  TCP  MYINTERNETIP  :  56546→ 199.246.67.51  :  80 [ACK]  len=40  ttl=125  tos=0x00 srcmac=00:15:5d:01:0a:0b  dstmac=00:15:5d:01:0a:0c

I have a rules which allow Internet traffic from local network to any dest for HTTP, but this drop is from my internet IP (Real IP, which is not in the local network range)...  

This happen for many service not only HTTP.

I'm I supposed to have a rules that allow WAN IP to ANY dest on ANY services?

What's weird is that SYN works, and website load, but Astaro drop a bunch of ACK during the transfer...


Please help


This thread was automatically locked due to age.
Parents
  • 0
    Please note that the HTTP proxy is disable to troubleshoot this issue.
  • 0 in reply to x-cimo
    here is something I think is strange: 3 Packet are sent to a webserver from a host (10.100.2.100), They are allowed.

    Right after what seem the 3 same packet are DROPPED from my WAN IP  to Internet:

    2009:12:08-19:59:18 plasmashield ulogd[3108]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="3" seq="0" initf="eth1" outitf="eth0" dstmac="00:15:5d:01:0a:0c" srcmac="00:15:5d:01:0a:0b" srcip="10.100.2.100" dstip="207.96.160.37" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="57485" dstport="80" tcpflags="ACK RST" 

    2009:12:08-19:59:18 plasmashield ulogd[3108]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="3" seq="0" initf="eth1" outitf="eth0" dstmac="00:15:5d:01:0a:0c" srcmac="00:15:5d:01:0a:0b" srcip="10.100.2.100" dstip="72.14.162.41" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="57486" dstport="80" tcpflags="ACK RST" 

    2009:12:08-19:59:18 plasmashield ulogd[3108]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="3" seq="0" initf="eth1" outitf="eth0" dstmac="00:15:5d:01:0a:0c" srcmac="00:15:5d:01:0a:0b" srcip="10.100.2.100" dstip="72.14.162.41" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="57484" dstport="80" tcpflags="ACK RST" 


    DROPPED PACKETS:

    2009:12:08-19:59:18 plasmashield ulogd[3108]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth0" dstmac="00:15:5d:01:0a:0c" srcmac="00:15:5d:01:0a:0b" srcip="WAN_INTERNETIP" dstip="207.96.160.37" proto="6" length="40" tos="0x00" prec="0x00" ttl="125" srcport="57485" dstport="80" tcpflags="ACK RST" 

    2009:12:08-19:59:18 plasmashield ulogd[3108]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth0" dstmac="00:15:5d:01:0a:0c" srcmac="00:15:5d:01:0a:0b" srcip="WAN_INTERNETIP" dstip="72.14.162.41" proto="6" length="40" tos="0x00" prec="0x00" ttl="125" srcport="57486" dstport="80" tcpflags="ACK RST" 

    2009:12:08-19:59:19 plasmashield ulogd[3108]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth0" dstmac="00:15:5d:01:0a:0c" srcmac="00:15:5d:01:0a:0b" srcip="WAN_INTERNETIP" dstip="72.14.162.41" proto="6" length="40" tos="0x00" prec="0x00" ttl="125" srcport="57484" dstport="80" tcpflags="ACK RST"

    Why in the dropped (last 3) packet the initf="eth1" and the srcip is a WAN ip?

    ETH1 = Local network
    ETH0 = WAN
  • 0 in reply to x-cimo
    In the event that this help anybody. I resolved the issue.

    I don't undersand what was happening exactly, but it was due to WAN NIC configuration on the Hyper-V Host. IPv4 and IPv6 were enable, when only Virtual Network Switch Protocol is supposed to be enable (Hyper-v networking works differently than VMware ESX).

    So somehow, Windows2008 server was picking up packet and then tried to send them directly on the WAN (denied by the FW), and the real packet were also sent to Astaro and handle propely...
Reply
  • 0 in reply to x-cimo
    In the event that this help anybody. I resolved the issue.

    I don't undersand what was happening exactly, but it was due to WAN NIC configuration on the Hyper-V Host. IPv4 and IPv6 were enable, when only Virtual Network Switch Protocol is supposed to be enable (Hyper-v networking works differently than VMware ESX).

    So somehow, Windows2008 server was picking up packet and then tried to send them directly on the WAN (denied by the FW), and the real packet were also sent to Astaro and handle propely...
Children
No Data