[syslog-ng]syslog-ng problem

Pavel Urban syslog-ng@lists.balabit.hu
Thu, 14 Oct 2004 20:15:54 +0200


I've found out what was causing the problem. Just for the record:

if you use static source port ('localport' directive), you can encounter 
problem with PIX firewall. what happend here?

1. central syslog had the connection in ESTABLISHED state
2. client had syslog-ng shut down; after restart it tried to connect
3. SYN packet was received by central syslog for the connection that it 
thought should be already established
4. central syslog responded with ACK
5. client was confused by ACK because it expected SYN-ACK, so it sent RST
6. PIX firewall treats SYN followed by RST as attack, so it blocked the 
packet
7. central syslog still keeps the connection in ESTABLISHED state, 
client in SYN_SENT state
8. after some time, client sends SYN again... and we're in the loop.

not very nice. so, be careful when setting localport!


Pavel Urban wrote:

> Hello,
> 
> we are having a problem with syslog-ng ver. 1.6.2. On one RedHat Linux 
> ES 3, I've seen that it sends SYN, receives ACK and immediately sends 
> RST. Anybody seen this behaviour?
> 
> 20:26:34.610520 192.168.30.28.5140 > 192.168.30.162.5140: S 
> 1768598228:1768598228(0) win 5840 <mss 1460,sackOK,timestamp 885631 
> 0,nop,wscale 0> (DF)
> 20:26:34.610660 192.168.30.162.5140 > 192.168.30.28.5140: . ack 1 win 
> 62928 <nop,nop,timestamp 1022214670 497333> (DF)
> 20:26:34.610711 192.168.30.28.5140 > 192.168.30.162.5140: R 
> 611445588:611445588(0) win 0 (DF)
> 20:27:22.610006 192.168.30.28.5140 > 192.168.30.162.5140: S 
> 1768598228:1768598228(0) win 5840 <mss 1460,sackOK,timestamp 890431 
> 0,nop,wscale 0> (DF)
> 20:27:22.610152 192.168.30.162.5140 > 192.168.30.28.5140: . ack 1 win 
> 62928 <nop,nop,timestamp 1022239252 497333> (DF)
> 20:27:22.610195 192.168.30.28.5140 > 192.168.30.162.5140: R 
> 611445588:611445588(0) win 0 (DF)
> 
> When I try eg telnet, it works just fine.
> 
> 20:30:56.617785 192.168.30.28.32908 > 192.168.30.162.5140: S 
> 2089428237:2089428237(0) win 5840 <mss 1460,sackOK,timestamp 911833 
> 0,nop,wscale 0> (DF) [tos 0x10]
> 20:30:56.617995 192.168.30.162.5140 > 192.168.30.28.32908: S 
> 1997864569:1997864569(0) ack 2089428238 win 5792 <mss 
> 1380,sackOK,timestamp 1022348859 911833,nop,wscale 0> (DF)
> 20:30:56.618051 192.168.30.28.32908 > 192.168.30.162.5140: . ack 1 win 
> 5840 <nop,nop,timestamp 911833 1022348859> (DF) [tos 0x10]
> 20:31:01.079466 192.168.30.28.32908 > 192.168.30.162.5140: F 1:1(0) ack 
> 1 win 5840 <nop,nop,timestamp 912279 1022348859> (DF) [tos 0x10]
> 20:31:01.079677 192.168.30.162.5140 > 192.168.30.28.32908: F 1:1(0) ack 
> 2 win 5792 <nop,nop,timestamp 1022351145 912279> (DF)
> 20:31:01.079717 192.168.30.28.32908 > 192.168.30.162.5140: . ack 2 win 
> 5840 <nop,nop,timestamp 912279 1022351145> (DF) [tos 0x10]
> 
> 


-- 
***********************************************************************
Pavel Urban (pavel.urban@imaginet.cz)
IOL system disaster
Internet OnLine, owned by Cesky Telecom, a.s. (www.ct.cz)
***********************************************************************
    Vegetables should not operate electronic equipment.
           Computer Stupidities, http://rinkworks.com/stupid/
***********************************************************************