UFW logs blocked request on open port, what am I missing?

logging ufw

Nov 29 15:17:15 hostname kernel: [397768.554884] [UFW BLOCK] IN=eth0 OUT= MAC=[mac] SRC=[ip] DST=[ip] LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=17050 PROTO=TCP SPT=56152 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0

As I understand it, there was a request to port 80, which was blocked. Most of the messages have DPT=80.

Which is weird, since port 80 is open for business and serving websites like never before. What am I missing here?


Notice that your packet has both the FIN and ACK bits set. This is the last packet that the remote host sends in the TCP tear down (end of connection) procedure.

What happens is, when your host has finished sending it sets the FIN and ACK flags on the last packet. The remote hosts sends a packet with ACK set followed by a packet with FIN and ACK set.

Local          remote
FIN ACK ---->
        <----  ACK
        <----  FIN ACK (?optional?)
ACK     ----->

In practice, the remotes FIN ACK is considered optional so the netfilter firewall will flush it's connection table when it sees the ACK so when the FIN ACK packet arrives it has no associated connection and is dropped.

Related

HP ProLiant DL380 G4 SATA support? [closed]
Domain Admins group denied access to d: drive
What is the difference between httpd_read_user_content and httpd_enable_homedirs?
SSH port forwarding
Editing sudoers file to restrict a user's commands
Convert and redirect URL in uppercase to lowercase using .htaccess
HP SmartArray P400: How to repair failed logical drive?
How to convert an NSString into an NSNumber
UIScrollView Scrollable Content Size Ambiguity
How can I wait In Node.js (JavaScript)? l need to pause for a period of time
"Uncaught SyntaxError: Cannot use import statement outside a module" when importing ECMAScript 6
Is there anything like .NET's NotImplementedException in Java?