On Thu, 2018-06-21 at 12:14 -0400, Brian J. Murrell wrote: > Hi, > > Since upgrading from 5.1.12 to 5.2.0 on the machine that I build > firewall rulesets for my shorewall-lite-running-router, I have seen a > massive increase in RST and FIN packets being logged
Having had a moment to look at the differences in the policy built by the two versions, I believe the significant difference is the replacing of the Drop and Reject chains, both of which had: -A Drop -m conntrack --ctstate INVALID -j DROP in them, with the inline rules: -A INPUT -p 1 --icmp-type 3/4 -j ACCEPT -m comment --comment "Needed ICMP types" -A INPUT -p 1 --icmp-type 11 -j ACCEPT -m comment --comment "Needed ICMP types" -A INPUT -m addrtype --dst-type BROADCAST -j DROP -A INPUT -m addrtype --dst-type ANYCAST -j DROP -A INPUT -m addrtype --dst-type MULTICAST -j DROP The latter does not have the "-m conntrack --ctstate INVALID" handling which DROPped or REJECTed those packets without logging them. I guess this is part of the blurb in the MIGRATION ISSUES: It should also be noted that, in prior releases, Drop and Reject silently dropped more traffic than thir replacements. As a consequence, you will see more traffic being logged with Shorewall 5.2 than you did on earlier releases. The translations performed by 'update' can be extended after the update to drop additional traffic as desired. So the solution for the missing -A Drop -m conntrack --ctstate INVALID -j DROP seems to be to add dropInvalid to the DROP_DEFAULT and REJECT_DEFAULT policies as such: DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropInvalid" REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropInvalid" But I also am noticing other "noise suppression" policy such as: -A Drop -p 17 -m multiport --dports 135,445 -j DROP -m comment --comment "SMB" -A Drop -p 17 --dport 137:139 -j DROP -m comment --comment "SMB" -A Drop -p 17 --dport 1024:65535 --sport 137 -j DROP -m comment --comment "SMB" -A Drop -p 6 -m multiport --dports 135,139,445 -j DROP -m comment --comment "SMB" -A Drop -p 17 --dport 1900 -j DROP -m comment --comment "UPnP" -A Drop -p 6 ! --syn -j DROP -A Drop -p 17 --sport 53 -j DROP -m comment --comment "Late DNS Replies" But without actions for them. Are these no longer going to be expressible as a policy action but instead need to be put into rules? Cheers, b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
