Re: [Fwbuilder-discussion] Confusion over http packets
Brought to you by:
mikehorn
From: Mike H. <mi...@ne...> - 2011-01-15 00:45:43
|
Hi Steve, This question comes up occasionally and appears to be related to how iptables behaves for specific types of connection activity. Here's a post from the netfilter mailing list that talks about it: http://lists.netfilter.org/pipermail/netfilter/2005-August/062059.html Is the HTTP traffic not working, or are you just concerned about the dropped packets you are seeing in the log? Regards, -mike On Fri, Jan 14, 2011 at 12:27 PM, Steve Campbell <cam...@cn...>wrote: > I have a firewall policy rule that basically says if coming from an > address 10.0.0.170 to a specific address 192.9.200.251 using port 80, > then allow the packet. It is rule #2 in my firewall rules. Rule #5 in my > firewall policy rules blocks every thing to that specific address that > wasn't allowed in Rule #2. The firewall log reports the two following > log entries: > > Jan 14 15:13:13 matchbox kernel: RULE 5 -- DENY IN=eth1 OUT=eth0 > SRC=10.0.0.170 DST=192.9.200.251 LEN=40 TOS=0x00 PREC=0x00 TTL=63 > ID=10961 DF PROTO=TCP SPT=45398 DPT=80 WINDOW=6432 RES=0x00 ACK FIN URGP=0 > > Jan 14 15:16:53 matchbox kernel: RULE 2 -- ACCEPT IN=eth1 OUT=eth0 > SRC=10.0.0.170 DST=192.9.200.251 LEN=60 TOS=0x10 PREC=0x00 TTL=63 > ID=27809 DF PROTO=TCP SPT=36809 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > The first packet is when apache is used to access the destination. The > second rule is when I telnet using port 80. The only difference I see in > the log entries are the flags. I use the standard "http" service built > into FWB to define these rules. I don't understand why the first log > entry wouldn't be allowed by Rule 2 instead of dropping through and > being trapped by Rule 5. > > Is there something I'm missing on the standard service defined in FWB > for httpd and should I change the flags on that service or does this > look suspicious? > > Thanks for any help > > Steve Campbell > > > > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > |