Hi

I have the Linux firewall in that I have the following rule.

$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-prefix "fp=bad_packets:1 a=DROP "

$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP


but that rules blocking this request and I found that this request its a genuine request then why its blocking by the firewall .... Logs of firewall is here below.

Jun 27 11:14:38 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.44 DST=173.194.38.141 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=41102 DF PROTO=TCP SPT=55563 DPT=80 WINDOW=245 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:39 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.171 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=57967 DF PROTO=TCP SPT=49757 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:43 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.171 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=28476 DF PROTO=TCP SPT=49757 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:45 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=173.194.38.131 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=59458 DF PROTO=TCP SPT=49772 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:49 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=216.52.242.80 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=48650 DF PROTO=TCP SPT=49740 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:50 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=173.194.38.131 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=58428 DF PROTO=TCP SPT=49773 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:50 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.171 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=17698 DF PROTO=TCP SPT=49757 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:51 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=216.52.242.80 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=45670 DF PROTO=TCP SPT=49740 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0

I can notice that the packets which flags ACK FIN URG are falling in INVALID state.

Thanks

This is a result of the stateful firewall not being able to match the packet to a known active connection.
Possible reason for this behaviour is that the FIN/ACK packet is send very long after the FIN packet.
Another possibility is that the firewall is not able to handle the amount of connections.

The only solutions I came accross is to make the firewall stateless for the port(s) where this problem occurs, or ignore the packets with ACK FIN URGP=0 set altogether.

Hi

I have notice that also, but its a google or facebook's IP which is open in my browser and block by the proxy server. which is genuine request.

the firewall should not block that traffic.

It is not a question if the firewall should block that traffic.
The issue is that the firewall can not relate the message to a known active connection.
Because it is a stateful firewall it will automatically block traffic if it can not relate that traffic to a known active connection.
The possible solutions are the ones I gave in my first reply.