-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/27/2017 08:09 AM, Vieri Di Paola wrote: > I'm now calling NFQUEUE from SECTIONs ESTABLISHED, RELATED and NEW (removed > from SECTION ALL). > I've placed my REDIRECT, DROP, and ADD rules in SECTION NEW only. > > Everything should be OK now, except maybe for a few things. > > In the IPS log I'm seeing almost no GeoIP blocks as expected, since > it's performed by the Shorewall GeoIP rule preceding NFQUEUE in NEW. > However, I'm still seeing one type in the IPS. Here's an example: > > "event_type":"drop","src_ip":"188.165.137.78","dest_ip":"172.16.0.1","pr > oto":"ICMP","icmp_type":0,"icmp_code":0
That is a ping reply -- so 172.16.0.1 is pinging 188.165.137.78. > > > which corresponds to GeoIP IPS rule with the same country codes as the rules used in shorewall. > > Shouldn't this have been dropped already by the shorewall rule "DROP net1,net2,net3:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE,NL] all"? No, because that packet is in the ESTABLISHED state, not the NEW state. Your Shorewall ruleset isn't denying systems on your network from initiating flows to systems that are not in your approved country list. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYtMh1AAoJEJbms/JCOk0QX/IQAIdXDcGkIILnUFPSB0bbEbOY xX6YX9sYwDECU1wCVPyOC1j8Ph6GxWv6jQTno5gqrV7lcJiWZOpjE8okekbFMoSv 0RHOlViMv8ley8vwf+qWlKkithjupUGdgdYm3uRWLZGEDqluL3dP2Nz0g8lRo8Aw XTTDpxTViox1xJc4civjEvVcc8sKksuizyOUVPuYiAQQ+7F3jwcy+IPl+Gy4ybWF 1QmhSZQkQoxsy67SLx4mqL7mJm8kQbpZxGFlTv5TsDAXaMDgjYs60Sh7VtzUvcf5 5QIEF8d+0uDJcptEjNbnYEKovQ3rsu0HygBIufkJvV84imassd1TNE9sEJlTscJB aj1uTxAztcokEEGom1LLLR1dzBwrTpJRFwSs8vsecgIfVRsGp1zo+TAO4UH8dK/T RN/GesU67lQVcBKfFWr00zKLc9A7Xyhj6Hji+IqittTUHcdUnTmij4wwZrkLEvZg /kmjp1Az7jo02VPBg4ysydoz7a2ilZ2sAKphZFAItg5gZxkWSjPbCHTXl0ZZcj4D KF8ow1Otm8hY/4ZGDQWwpL9HRyPWBoVUCuw+EcikGaXsPZc4YJPs2hYQKyZE1kB6 WMQnma9WZUpZAqsWzhYgScDuk1xweNeJ93VerA10KNQFNsI8yQHr/IoynppM7MMZ Bp+h34Ojt7MDjE2BAYyc =tkl8 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
