Greetings!


My configuration is as follows:
I have a linux firewalling router that masquerades and forwards port 4662 to my linux client for file sharing. All other incoming connections from outside are dropped, only ESTABLISHED, RELATED are being accepted. The client is running a firewall on its own.

I'm getting a lot of blocked connections in the router's syslog, like

Oct 23 20:23:32 router kernel: DROP IN=ppp0 OUT= MAC= SRC=<edited> DST=<edited> LEN=78 TOS=0x00 PREC=0x00 TTL=118 ID=39377 PROTO=UDP SPT=39649 DPT=137 LEN=58

You get the point. Usually I have no log entries regarding blocked connections on the client at all. So far so good.

But occasionally I do get log entries on the client (!), about once per two hours on average, like the following:

Oct 23 20:05:05 client kernel: DROP IN=eth0 OUT= MAC=<edited> SRC=<edited> DST=<client's lan IP> LEN=58 TOS=0x00 PREC=0x00 TTL=111 ID=40681 DF PROTO=TCP SPT=4662 DPT=55617 WINDOW=17342 RES=0x00 ACK PSH FIN URGP=0

My questions is: Why do those rare connections make it through the router's firewall? I am not yet concerned about this as I don't have any services running at all, so a compromise is unlikely but it still leaves me confused. Does it have something to do with the ACK/FIN/PSH flags? I understand that the ACK should be from some host that acknowledges a two-way connection that it established with my box (because there is no SYN, only ACK) but if that is the case why is it being blocked by the client? Shouldn't it be accepted as an ESTABLISHED, RELATED?

Is there anything I can do to block these connections at the router? Or are these packets legitimate and I made a mistake in my configuration? Or is this sort of thing normal?


Thanks in advance for any hints/information!

The packet that the client blocked came from port 4662 and looks like it was terminating a connection. It could therefore either be a incorrectly configured firewall on the client or a FIN Stealth scan which the router couldn't pick up (because it looked like an established connection) but which your client could (because it knows precisely what connections are open and knows that that is not part of an open connection).

P.S. This is partially guesswork and it doesn't look like it's harming your system either way.

Thanks for your reply, nhs!


Now that you narrowed down the possibilities of what this 'phenomenon' (to me it is one ) could be, I come to the same conclusion as you. If it's a port scan - alas, I've had quite a few of those in the last month. And if it's a denied control packet - so be it, as long as they don't occur more often than this. It doesn't seem to hurt my performance. I was just confused as to why most packets got filtered out but some didn't.

Of course, any more information/opinion is welcomed! But for now I've calmed down a bit.