Hello folks. I had a spontaneous reboot of my OpenWRT and Shorewall-lite 4.0.5 running firewall this evening. I must have taxed it's puny little 32MB of memory.
What is interesting is that on reboot, when a shorewall start was done, it appears that a packet leaked through before the SNAT rules were in place. Consider these two entries from the conntrack table: udp 17 3114 src=10.75.22.3 dst=66.51.110.210 sport=5060 dport=5060 packets=2520 bytes=1317666 [UNREPLIED] src=66.51.110.210 dst=10.75.22.3 sport=5060 dport=5060 packets=0 bytes=0 mark=0 use=1 udp 17 3597 src=10.75.22.3 dst=66.51.127.173 sport=5060 dport=5060 packets=144 bytes=85513 src=66.51.127.173 dst=67.193.45.68 sport=5060 dport=5060 packets=203 bytes=79918 [ASSURED] mark=64 use=1 Notice the second entry has the SNAT recorded in the table while the first does not. I can only imagine that this is because the packet hit netfilter before the SNAT rules were put into place. So I guess the question is, even with say, a default policy for all chains in netfilter of DROP, would an entry still make it into the conntrack table? I tend to think it would not. So perhaps this packet made it through in that short time window when networking is up, netfilter is loaded but before shorewall has done it's thing. I wonder if anything can be done to mitigate this? Even if one were to simply do: # modprobe <netfilter modules> # for chain in FORWARD INPUT OUTPUT; do > iptables -P $chain DROP > done there is still a small window of opportunity there. Is there no way to eliminate this possibility? Perhaps a way to load the netfilter modules in a "default DROP policy" mode? Alternatively, I wonder, is it possible to load the filtering modules first, set a default DROP policy and then install the nat table rules, then load the conntrack modules (perhaps the conntrack modules need loading before you can set up the nat table -- I don't think the order of these two is critical since the default policy is still DROP at this point) and then the filter table policy. Or some other combination thereof which eliminates the race? b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
