Home / server / Questions / 336132
Accepted
Znarkus
Asked: 2011-12-01 01:30:11 +0800 CST

UFW logs blocked request on open port, what am I missing?

  • 772

Nov 29 15:17:15 hostname kernel: [397768.554884] [UFW BLOCK] IN=eth0 OUT= MAC=[mac] SRC=[ip] DST=[ip] LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=17050 PROTO=TCP SPT=56152 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0

As I understand it, there was a request to port 80, which was blocked. Most of the messages have DPT=80.

Which is weird, since port 80 is open for business and serving websites like never before. What am I missing here?

logging ufw

1 Answers

  1. Best Answer

    Notice that your packet has both the FIN and ACK bits set. This is the last packet that the remote host sends in the TCP tear down (end of connection) procedure.

    What happens is, when your host has finished sending it sets the FIN and ACK flags on the last packet. The remote hosts sends a packet with ACK set followed by a packet with FIN and ACK set.

    Local          remote
FIN ACK ---->
        <----  ACK
        <----  FIN ACK (?optional?)
ACK     ----->

    In practice, the remotes FIN ACK is considered optional so the netfilter firewall will flush it's connection table when it sees the ACK so when the FIN ACK packet arrives it has no associated connection and is dropped.

    • 13