________________________________
From: Tom Eastep <[email protected]>
>
> That rule doesn't indicate that the packet is being dropped -- it
> simply means that it is being logged and counted.
I'm asking because I created a custom Action (DROPBL) as you previously
suggested in another thread so that I could Drop and insert the src IP address
in an ipset if a client tried to connect to an "unpublished" port.
My custom DROP action simply contains the following instruction at the bottom:
ADD(POL_BL:src)
Usually when there's a false positive and a remote client complains I simply
grep the shorewall log and look for its IP address with a custom log tag
('polbl') and a :DROP: right after it. I can then inform the client that they
were trying to access the wrong port.
However, in this particular case I saw this in the log:
# grep 1.2.3.4 /var/log/shorewall/info.log
Jun 5 16:47:51 kernel: Shorewall:polbl:COUNT:IN=enp9s5 OUT=
MAC=00:0d:88:cd:7f:c5:00:13:f7:23:ef:b4:08:00 SRC=1.2.3.4 DST=192.168.100.2
LEN=60 TOS=0x00 PREC=0x00 TTL=124 ID=10689 PROTO=255 MARK=0x2
Jun 5 16:52:58 kernel: Shorewall:blsinit:REDIRECT:IN=enp9s5 OUT=
MAC=00:0d:88:cd:7f:c5:00:13:f7:23:ef:b4:08:00 SRC=1.2.3.4 DST=192.168.100.2
LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=10900 DF PROTO=TCP SPT=49339 DPT=80
WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x2
The IP address 1.2.3.4 was added to the POL_BL ipset.
If I look at another example in the log I see:
Jun 7 11:26:38 kernel: Shorewall:polbl:COUNT:IN=enp9s6 OUT=
MAC=00:0d:88:cd:7f:c6:50:67:f0:af:f4:57:08:00 SRC=4.3.2.1 DST=192.168.101.2
LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=TCP SPT=80 DPT=24620
WINDOW=28960 RES=0x00 ACK SYN URGP=0 MARK=0x3
Jun 7 11:26:38 kernel: Shorewall:polbl:DROP:IN=enp9s6 OUT=
MAC=00:0d:88:cd:7f:c6:50:67:f0:af:f4:57:08:00 SRC=4.3.2.1 DST=192.168.101.2
LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=TCP SPT=80 DPT=24620
WINDOW=28960 RES=0x00 ACK SYN URGP=0 MARK=0x3
So I guess the DROP in my first example was not logged for some reason.
Still, the COUNT log line in the second example reveals the DPT to which the
remote client tried to access. In the first example I don't know what PROTO=255
is, except "Reserved for extra".
Supposedly, the remote host with IP addr. 1.2.3.4 is "trusted" and should not
use an unknown protocol.
Anyway, it's not really an issue. Just wondering why.
Thanks,
Vieri
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
