________________________________ From: Tom Eastep <[email protected]> > > I apologize for replying with HTML, but it would take me an extra half
> an hour to make a text version readable. No problem. > You need to include NFQUEUE rules in the ESTABLISHED and RELATED > sections as well as in the NEW section. I'm now calling NFQUEUE from SECTIONs ESTABLISHED, RELATED and NEW (removed from SECTION ALL). I've placed my REDIRECT, DROP, and ADD rules in SECTION NEW only. Everything should be OK now, except maybe for a few things. In the IPS log I'm seeing almost no GeoIP blocks as expected, since it's performed by the Shorewall GeoIP rule preceding NFQUEUE in NEW. However, I'm still seeing one type in the IPS. Here's an example: "event_type":"drop","src_ip":"188.165.137.78","dest_ip":"172.16.0.1","pr oto":"ICMP","icmp_type":0,"icmp_code":0 which corresponds to GeoIP IPS rule with the same country codes as the rules used in shorewall. Shouldn't this have been dropped already by the shorewall rule "DROP net1,net2,net3:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE,NL] all"? By the way, I tried specifying more than 10 country codes for each rule and there doesn't seem to be any errors. I don't know if the limit on 10 country codes still stands. I've also noticed another issue. I have a script that keeps reading the IPS log for offending IP addresses. As soon as the IPS drops a packet and logs it, this script also runs the following command immediately: ipset add IPS_BL <IP> When this happens for the first time and the offending client hasn't timed out, the client actually succeeds connecting (is NOT dropped) despite the IPS drop log message. This happens right after running the ipset command above. Of course, I tried temporarily disabling this command in my script and I noticed that the IPS drops the packets correctly even if the client doesn't time out for a long while. However, I prefer to add the IP address to the ipset so I can drop the next connections from the same IP without having to send it to the IPS again. This is what I have in rules (SECTION NEW): REDIRECT:info:blsinf net1:+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL 62000 tcp 80 REDIRECT:info:blsinf net2:+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL 62000 tcp 80 REDIRECT:info:blsinf net3:+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL 62000 tcp 80 DROP net1:+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL all DROP net2:+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL all DROP net3:+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL all REDIRECT:info:geoipinf net1:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE,NL] 62000 tcp 80 REDIRECT:info:geoipinf net2:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE,NL] 62000 tcp 80 REDIRECT:info:geoipinf net3:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE,NL] 62000 tcp 80 ADD(GEO_BL:src) net1:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE,NL] all ADD(GEO_BL:src) net2:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE,NL] all ADD(GEO_BL:src) net3:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE,NL] all DROP net1:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE,NL] all DROP net2:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE,NL] all DROP net3:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE,NL] all NFQUEUE(0:5,bypass)... etc. (no other references to IPS_BL in the rest of the rules file) I don't understand why inserting the IP address in the IPS_BL ipset WHILE the client is still connected and whose connection is being DROPped by the IPS would ALLOW the client connection to go through. I'm attaching the updated shorewall dump. Thanks, Vieri
sw_dump.gz
Description: application/gzip
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
