Debian Lenny. I am firewalling invalid packets (-m state --state invalid), allowing related / established traffic in, and allowing ICMP types 3, 4, 8, 11 & 12. The stalls seem to be less frequent when I explicitly allow invalid packets coming from the remote host. Could it be that some device along the route is handling SACK incorrectly?
Example of a packet I explicitly allowed even though iptables marked it invalid:
Quote:
Nov 22 04:37:00 <hostname> kernel: [693422.397591] Allow invalid from <remote host>: IN=eth0 OUT= MAC=00:23:7d:cf:2a:1a:00:08:e3:ff:fc:04:08:00 SRC=<remote ip> DST=<local ip> LEN=80 TOS=0x00 PREC=0x00 TTL=61 ID=1217 DF PROTO=TCP SPT=22 DPT=47654 WINDOW=1497 RES=0x00 ACK URGP=0 OPT (0101080A48E3385B0896094F0101051AA0A49C7BA0A4A1D3A0A48C73A0A49723A0A47C6BA0A4871B)
|
This is from my syslog using iptables --log-tcp-options - they appear to be timestamp and sack. Is there a way to log more, or make it show what specifically causes iptables to mark this an invalid packet?