[ale] iptables issue

[JK]

Jim Popovitch wrote:

> JK wrote:
> 
>>This appears to be a server-side "close connection"
>>packet (FIN).  It may be that it's a
>>re-send of a FIN that had been sent previously,
>>and at the time it was put in the outgoing queue,
>>the connection was still open. By the time it
>>got into the filter, though, the client had
>>replied to the earlier FIN and the connection was
>>closed.  (This is just a hypothesis; I don't
>>know whether the kernel's handling of closing
>>connections would actually admit this behavior.)
> 
> 
> Interesting theory.   I checked the logs and sure enough every outbound 
> block is a FIN.  So, is there a way to add a rule to just allow all 
> outbound FINs?

iptables -A OUTPUT -p tcp --tcp-flags FIN -j ACCEPT

should do it.  I'm not 100% certain that's a good
idea, but I can't think offhand of a way that
rule could be abused. You may want to add
'--sport http'.

-- JK