joined:Mar 17, 2006
How do you guys treat invalid IP packets in your firewall settings? I've looked into this after losing all of the traffic from Verizon Wireless this past weekend. I am not sure if this was the issue but after I removed the DROP rule for invalid packets, I can now connect from a smartphone (it goes through IPv6 -> IPv4 tunnel, which might have been what was throwing the firewall off). Oddly though, the packets don't get logged as INVALID (log is turned on for invalid packets) and yet as soon as I removed DROP for INVALID, I could connect.
Anyway, the broader issue here is this: until I set up that log file for invalid packets, I had no idea how common they were! I am seeing completely legit requests from the likes of Microsoft Corp. (Bingbot) that show up as INVALID in iptables and therefore were dropped. I would say about 10-20% of all Bingbot requests register as INVALID by iptables. I don't possess enough networking knowledge to find out exactly why they are marked as INVALID but I think something is not right here - the point is, by dropping all INVALID packets, there may be a tremendous amount of false positives.
So, what does this esteemed community think about dropping or allowing all INVALID IP packets? On one hand they are an attack vector, on another there seem to be some important false positives. Good idea to log them but not drop them?