On 5/6/12 9:35 AM, Sascha Sanches wrote: > Hi, > > I've been using Shorewall with satisfaction for some two years now. A few > days ago I decided to try to tighten the configuration as much I could. This > meant changing the OUTPUT policy to REJECT, and RELATED_DISPOSITION to DROP, > while the INPUT policy has been set to REJECT. And, well, I ran into the > following problem: > > Whenever a TCP connection attempt is to be rejected, a related TCP RST > packet is sent. With RELATED_DISPOSITION set to DROP, this reply is dropped, > leading to long timeouts. > > Is there currently any way to include a rule in the related section of the > shorewall-rules file that allows outgoing TCP RST packets without using > Perl? I'm really not a Perl programmer whatsoever... > > Two example syslog messages: > > [2012-05-06 18:10:05] hq [kernel/-] [kern.debug]: SW:fw2net:LOG:REL2POL IN= > OUT=eth0 SRC=79.170.93.130 DST=79.1.157.73 LEN=40 TOS=0x00 PREC=0x00 TTL=64 > ID=0 DF PROTO=TCP SPT=23 DPT=2794 WINDOW=0 RES=0x00 ACK RST URGP=0 > [2012-05-06 18:10:05] hq [kernel/-] [kern.debug]: SW:+fw2net:ACCEPT:IN= > OUT=eth0 SRC=79.170.93.130 DST=79.1.157.73 LEN=40 TOS=0x00 PREC=0x00 TTL=64 > ID=0 DF PROTO=TCP SPT=23 DPT=2794 WINDOW=0 RES=0x00 ACK RST URGP=0 > > The first message is a log rule at the end of the related section of the > rules file, and the second (I think) is about the same connection attempt > and the result of RELATED_LOG_LEVEL=debug in shorewall.conf. As you can see, > I've changed RELATED_DISPOSITION to ACCEPT right now, since that is the > easiest solution for now.
Here's an action that matches RSTs. Be sure that you use the tcpflags option with this. -Tom PS -- be sure to add the action to your /etc/shorewall/actions file. -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
# # Shorewall 4 - RST Action # # /usr/share/shorewall/action.RST # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # # (c) 2011 - Tom Eastep ([email protected]) # # Complete documentation is available at http://shorewall.net # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # RST[([<action>|-[,{audit|-}])] # # Default action is DROP # ########################################################################################## FORMAT 2 DEFAULTS DROP,- BEGIN PERL; use Shorewall::IPAddrs; use Shorewall::Config; use Shorewall::Chains; my ( $action, $audit ) = get_action_params( 2 ); fatal_error "Invalid parameter ($audit) to action NotSyn" if supplied $audit && $audit ne 'audit'; fatal_error "Invalid parameter ($action) to action NotSyn" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/; my $chainref = get_action_chain; my ( $level, $tag ) = get_action_logging; my $target = require_audit ( $action , $audit ); log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne ''; add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST, '; allow_optimize( $chainref ); 1; END PERL;
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
