[ale] iptables issue
Jim Popovitch
jimpop at yahoo.com
Mon Jul 17 01:59:15 EDT 2006
JK wrote:
> Jim Popovitch wrote:
>
>> JK wrote:
>>
>>> This appears to be a server-side "close connection"
>>> packet (FIN). It may be that it's a
>>> re-send of a FIN that had been sent previously,
>>> and at the time it was put in the outgoing queue,
>>> the connection was still open. By the time it
>>> got into the filter, though, the client had
>>> replied to the earlier FIN and the connection was
>>> closed. (This is just a hypothesis; I don't
>>> know whether the kernel's handling of closing
>>> connections would actually admit this behavior.)
>>
>> Interesting theory. I checked the logs and sure enough every outbound
>> block is a FIN. So, is there a way to add a rule to just allow all
>> outbound FINs?
>
> iptables -A OUTPUT -p tcp --tcp-flags FIN -j ACCEPT
>
> should do it. I'm not 100% certain that's a good
> idea, but I can't think offhand of a way that
> rule could be abused. You may want to add
> '--sport http'.
Will try. Again, Thank you.
-Jim P.
More information about the Ale
mailing list