View previous topic :: View next topic |
Author |
Message |
huuan Apprentice
Joined: 19 Feb 2007 Posts: 265 Location: California
|
Posted: Mon Jul 23, 2007 5:28 am Post subject: tcp output stopped at firewall: test late packets? [solved] |
|
|
I was looking through my server firewall logs and noticed that since last Wednesday there have been a number of blocked OUTPUT tcp connections similar to this:
Jul 22 13:33:10 myserver Dropped by default (OUTPUT):IN= OUT=eth0 SRC=myserverip DST=65.214.39.180 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=43953 DF PROTO=TCP SPT=80 DPT=33487 WINDOW=150 RES=0x00 ACK URGP=0
never mind I figured it out these are just late packets from when a bot asks for a whle bunch of stuff and some packets get out of sequence and get dropped by the firewall as there's no connection left when they arrive.
OK then the real question is how to ID these as late packets so I can drop them without logging them?
Last edited by huuan on Mon Jul 23, 2007 8:04 pm; edited 1 time in total |
|
Back to top |
|
|
huuan Apprentice
Joined: 19 Feb 2007 Posts: 265 Location: California
|
Posted: Mon Jul 23, 2007 7:15 am Post subject: |
|
|
OK I've gone with this as the line just before dropping OUTPUT by default:
Code: | $IPTABLES -A OUTPUT -p tcp --sport 80 -j DROP |
which I figure should do the trick as any legit port 80 output has already been allowed by that stage. |
|
Back to top |
|
|
|