Re: iptables OUTBOUND TCP:

[Patrick McCarty <mccartyp () apu edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hmmm... I've seen other issues with RST ACK, and other expired states, but not with SYN ACK.

Perhaps the honeynet network variable isnt specified correctly and the firewall is logging outbound traffic from what 
it thinks isnt the normal IP range...

- -- patrick


On Wed, Jan 12, 2005 at 11:59:49AM -0600, Ensz, Sean A. wrote:
> Does anyone have an explanation why honeywall logs TCP packets with the
> ACK SYN bits set as outbound connections? This is obviously the second
> part of the 3-way TCP handshake, but I don't know why iptables thinks it
> is a new connection and therefore triggering the OUTBOUND TCP log rule.
> The only thing I could come up with is that iptables is only looking at
> the SYN bit and not checking if any other bits are set. Any insight
> would be most appreciated. 
>
>
> Here are the iptables excerpts and tcpdump info:
>
>
> Jan 12 11:08:09 honeywall kernel: INBOUND TCP: IN=br0 OUT=br0
> PHYSIN=eth0 PHYSOUT=eth1 SRC=195.14.x.x DST=192.168.246.105 LEN=52
> TOS=0x00 PREC=0x00 TTL=104 ID=30217 DF PROTO=TCP SPT=3034 DPT=4899
> WINDOW=32767 RES=0x00 SYN URGP=0
>
> Jan 12 11:08:30 honeywall kernel: OUTBOUND TCP: IN=br0 OUT=br0
> PHYSIN=eth1 PHYSOUT=eth0 SRC=192.168.246.105 DST=195.14.x.x LEN=44
> TOS=0x00 PREC=0x00 TTL=64 ID=20353 PROTO=TCP SPT=4899 DPT=3034
> WINDOW=16000 RES=0x00 ACK SYN URGP=0
>
>
> tcpdump -r pcap.20050112.1105488301 -nn -v host 195.14.x.x and port 3034
> reading from file pcap.20050112.1105488301, link-type EN10MB (Ethernet)
>
> 11:08:09.029231 IP (tos 0x0, ttl 104, id 30217, offset 0, flags [DF],
> length: 52) 195.14.x.x.3034 > 192.168.246.105.4899: S [tcp sum ok]
> 3773502378:3773502378(0) win 32767 <mss 1452,nop,wscale
> 0,nop,nop,sackOK>
>
> 11:08:09.033731 IP (tos 0x0, ttl  64, id 64182, offset 0, flags [none],
> length: 44) 192.168.246.105.4899 > 195.14.x.x.3034: S [tcp sum ok]
> 0:0(0) ack 3773502379 win 16000 <mss 1460>
>
> 11:08:09.112651 IP (tos 0x0, ttl  64, id 37805, offset 0, flags [none],
> length: 40) 192.168.246.105.4899 > 195.14.x.x.3034: R [tcp sum ok]
> 0:0(0) ack 1 win 0
>
> 11:08:09.267803 IP (tos 0x0, ttl 104, id 30288, offset 0, flags [DF],
> length: 40) 195.14.x.x.3034 > 192.168.246.105.4899: . [tcp sum ok] ack 1
> win 32767
>
> 11:08:09.268404 IP (tos 0x0, ttl  64, id 37806, offset 0, flags [none],
> length: 40) 192.168.246.105.4899 > 195.14.x.x.3034: R [tcp sum ok]
> 1:1(0) win 0
>
> 11:08:09.314790 IP (tos 0x0, ttl 104, id 30289, offset 0, flags [DF],
> length: 50) 195.14.x.x.3034 > 192.168.246.105.4899: P [tcp sum ok]
> 1:11(10) ack 1 win 32767
>
> 11:08:09.315780 IP (tos 0x0, ttl  64, id 37807, offset 0, flags [none],
> length: 40) 192.168.246.105.4899 > 195.14.x.x.3034: R [tcp sum ok]
> 1:1(0) win 0
>
> 11:08:12.038379 IP (tos 0x0, ttl  64, id 34767, offset 0, flags [none],
> length: 44) 192.168.246.105.4899 > 195.14.x.x.3034: S [tcp sum ok]
> 0:0(0) ack 3773502379 win 16000 <mss 1460>
>
> 11:08:12.254188 IP (tos 0x0, ttl 104, id 31271, offset 0, flags [none],
> length: 40) 195.14.x.x.3034 > 192.168.246.105.4899: R [tcp sum ok]
> 3773502379:3773502379(0) win 0
>
> 11:08:18.048603 IP (tos 0x0, ttl  64, id 30427, offset 0, flags [none],
> length: 44) 192.168.246.105.4899 > 195.14.x.x.3034: S [tcp sum ok]
> 0:0(0) ack 3773502379 win 16000 <mss 1460>
>
> 11:08:18.244447 IP (tos 0x0, ttl 104, id 33222, offset 0, flags [none],
> length: 40) 195.14.x.x.3034 > 192.168.246.105.4899: R [tcp sum ok]
> 3773502379:3773502379(0) win 0
>
> 11:08:30.059046 IP (tos 0x0, ttl  64, id 20353, offset 0, flags [none],
> length: 44) 192.168.246.105.4899 > 195.14.x.x.3034: S [tcp sum ok]
> 0:0(0) ack 3773502379 win 16000 <mss 1460>
>
> 11:08:30.272743 IP (tos 0x0, ttl 104, id 37499, offset 0, flags [none],
> length: 40) 195.14.x.x.3034 > 192.168.246.105.4899: R [tcp sum ok]
> 3773502379:3773502379(0) win 0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFB5Xt2pPYocrgNjZgRAj2rAKCHz8m67sWBV/5ME1TR6DJkW2LcmgCghOdN
ruQz3eAyIMieUuGxcgjns/Y=
=epsj
-----END PGP SIGNATURE-----