UFW Logging – Why Are Blocked Requests Logged on Open Port?

loggingufw

Nov 29 15:17:15 hostname kernel: [397768.554884] [UFW BLOCK] IN=eth0
OUT= MAC=[mac] SRC=[ip] DST=[ip] LEN=52 TOS=0x00 PREC=0x00 TTL=52
ID=17050 PROTO=TCP SPT=56152 DPT=80 WINDOW=65535 RES=0x00 ACK FIN
URGP=0

As I understand it, there was a request to port 80, which was blocked. Most of the messages have DPT=80.

Which is weird, since port 80 is open for business and serving websites like never before. What am I missing here?

Best Answer

Notice that your packet has both the FIN and ACK bits set. This is the last packet that the remote host sends in the TCP tear down (end of connection) procedure.

What happens is, when your host has finished sending it sets the FIN and ACK flags on the last packet. The remote hosts sends a packet with ACK set followed by a packet with FIN and ACK set.

Local          remote
FIN ACK ---->
        <----  ACK
        <----  FIN ACK (?optional?)
ACK     ----->

In practice, the remotes FIN ACK is considered optional so the netfilter firewall will flush it's connection table when it sees the ACK so when the FIN ACK packet arrives it has no associated connection and is dropped.

Related Solutions

UFW blocking port 80 when it should not

I spent a significant amount of time trying to troubleshoot this problem. The involvement of UFW was a symptom of the real problem and not the cause. I found a solution so I didn't want to leave the question unanswered.

I discovered that for a reason I cannot yet explain syncookies were disabled on the apache servers behind the load balancer:

# sysctl -a | grep syncookies
net.ipv4.tcp_syncookies = 0

The reason I cannot explain this is that it is set to 1 in the default Centos6 /etc/sysctl.conf file. That is a separate issue for me to figure out.

You can read more about syn cookies here:

http://en.wikipedia.org/wiki/SYN_cookies

These are relatively busy servers that handle a lot of connections. My best guess is that enabling UFW (and thus enabling iptables) slowed things down just enough for the syn queue to fill up and without syncookies on connections started getting refused.

Iptables: How to read this OPT string

0204057D010303010101080A3E521D4D0000000004020000
From a sans.org study guide,
the first 2 bytes (0x0204) 04--is-length 02 means MSS flag
the next 2 bytes (0x057D) are the value for maximum size segment (MSS)
the next byte (0x01) is a no-op
the next 2 bytes (0x0303) indicate a windows scaling is enabled

the 3 bytes ("010101") are no-ops (AKA padding)
the 2 next bytes ("080a") flag a time stamp value
the 4 next bytes (("0x3E521D4D00000000") are date time 5 * 2 bytes
the 4 next bytes ("0402") sAck Ok

The master document: ftp://ftp.ietf.org/iana/tcp-parameters/tcp-parameters.xml
Others: https://datatracker.ietf.org/doc/html/draft-ietf-tcpm-tcp-security-03
http://www.ietf.org/mail-archive/web/tcpm/current/msg03199.html

for humor! : https://www.rfc-editor.org/rfc/rfc5841

Best Answer

Related Solutions

UFW blocking port 80 when it should not

Iptables: How to read this OPT string

Related Topic