Anyone could explain what this log means? I am getting some weird
traffic from an IP that belongs to a Government in UA
DROP_CTINVALID red0 TCP [77.120.110.150]
Hi,
since the firewall log in the WebUI is missing some technical details (such as the flags of a packet), could you please post the log message as it appeared in /var/log/messages here?
Thanks, and best regards,
Peter Müller
Thank you Peter
I posted this because I found it interesting that it’s coming from a goverment IP.
Here is the log message, hope it is legible enough.
kernel: DROP_CTINVALID IN=red0 OUT= MAC=XX.XX.XX.XX SRC=193.19.152.72 DST=X.X.X.X LEN=44 TOS=0x00 PREC=0x00 TTL=50 ID=50000 PROTO=TCP SPT=80 DPT=47356 WINDOW=16384 RES=0x00 ACK SYN URGP=0 MARK=0x80000000
Hi,
that’s interesting indeed, as the offending packet was a SYN-ACK (the second packet in a TCP handshake). If the initial SYN was not sent from your IPFire machine or a client behind it, I would expect this packet to have been caught by NEWNOTSYN, since it is precisely that.
On the other hand, if the connection was established by one of your devices, I don’t really see why conntrack flags it as being invalid.
This makes no sense either way… 
Thanks, and best regards,
Peter Müller
1 Like