Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

Invalid Packets and firewalls: to drop or not to drop?



11:46 pm on May 14, 2013 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member

How do you guys treat invalid IP packets in your firewall settings? I've looked into this after losing all of the traffic from Verizon Wireless this past weekend. I am not sure if this was the issue but after I removed the DROP rule for invalid packets, I can now connect from a smartphone (it goes through IPv6 -> IPv4 tunnel, which might have been what was throwing the firewall off). Oddly though, the packets don't get logged as INVALID (log is turned on for invalid packets) and yet as soon as I removed DROP for INVALID, I could connect.

Anyway, the broader issue here is this: until I set up that log file for invalid packets, I had no idea how common they were! I am seeing completely legit requests from the likes of Microsoft Corp. (Bingbot) that show up as INVALID in iptables and therefore were dropped. I would say about 10-20% of all Bingbot requests register as INVALID by iptables. I don't possess enough networking knowledge to find out exactly why they are marked as INVALID but I think something is not right here - the point is, by dropping all INVALID packets, there may be a tremendous amount of false positives.

So, what does this esteemed community think about dropping or allowing all INVALID IP packets? On one hand they are an attack vector, on another there seem to be some important false positives. Good idea to log them but not drop them?


12:10 am on May 15, 2013 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member

Forgot to mention another important source of invalids: Facebook! All 100% of the packets generated by facebookexternalhit/1.1 are marked as INVALID by iptables

Featured Threads

Hot Threads This Week

Hot Threads This Month