TCP segment length 0

rv@kaufmann.dkrv@kaufmann.dk
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

Hi,
I have a lot of packets from iPhones which get denied:

2019-08-31 19:11:28 Deny 192.168.9.21 31.13.72.8 https/tcp 51728 443 103-Home network Firebox invalid 40 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 R 51827881 win 0" Traffic
2019-08-31 19:11:28 Deny 192.168.9.21 31.13.72.8 https/tcp 51728 443 103-Home network Firebox invalid 40 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 R 51827881 win 0" Traffic

All packets have tcp segment length = 0 - but is it by design fireware (12.5U1) deny these packets?

Pcap

Robert

Comments

  • Bruce_BriggsBruce_Briggs

    I'm not seeing these from 2 iPhones here (home). But we don't do much web access with the iPhones while here.
    Both running ios 12.4

  • rv@kaufmann.dkrv@kaufmann.dk

    well, real question is, should fireware block these type of packets as invalid?

  • Bruce_BriggsBruce_Briggs

    What is the purpose of a zero length segment ?
    Seems like they really shouldn’t exist - so maybe an invalid deny is appropriate

  • xxupxxup

    It is going to Facebook.. It is better to deny it - one never knows what that crowd is planning next.. Remember Cambridge Analytics?

    Adrian from Australia

  • rv@kaufmann.dkrv@kaufmann.dk

    could it no be some sort of keep alive packet?

  • rv@kaufmann.dkrv@kaufmann.dk

    the iPhone even do it on secure imap connections:
    2019-09-01 17:53:05 Deny 192.168.9.21 46.30.211.111 imaps/tcp 53265 993 103-Home network Firebox invalid 40 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 R 886560318 win 0" Traffic

Sign In to comment.