Curious about log entries.
Anders Peter Fugmann
email hidden
Thu Oct 26 20:06:05 CEST 2006
Steven W. Orr wrote:
> Oct 24 14:28:24 saturn kernel: [FIAIF_INVALID]:IN=eth0 OUT= \
> MAC=00:13:d4:d1:b7:7 \
> c:00:12:44:91:f0:8c:08:00 SRC=70.88.208.113 DST=207.172.210.41 LEN=43 \
> TOS=0x08 PREC=0x00 TTL=17 ID=0 PROTO=TCP SPT=25 DPT=56077 \
> WINDOW=0 RES=0x00 ACK RST URGP=0
>
> I see entries like the above on a regular basis and I just don't get it.
> I'm the 210.41 (if that wasn't obvious) and the other guy is talking to me
> from his port 25. So what about this syslog entry would make the packet
> invalid? Am I right to assume that this has to represent an already
> established conversation?
Yes. It would usually mean that.
Linux firewall (iptables) has some connection tracking that keeps track
of all communication between two endpoints. If it sees something out of
the ordenary (Does not match the current state of the communication) it
marks them as invalid. FIAIF catches these packet, logs them and
discards them.
You should not be concerned, however. If you can send mail you can
ignore these lines.
>
> TIA
>
Hope it answers you question.
Regards
Anders Fugmann
More information about the fiaif
mailing list