Hi, I use shorewall 5.0.15.6 on Debian Stretch in a dual stack setup. On a reugular basis, I get a bunch of the following messages in my log files (my shorewall log prefix is just FW): kernel: [102654.492757] FW:FORWARD:REJECT:IN=ppp0 OUT=ppp0 MAC= SRC=2001:4ca0:0108:0042:0000:0080:0006:0009 DST=2001:14c9:1131:1320:8b80:2765:3c6a:2f19 LEN=80 TC=0 HOPLIMIT=244 FLOWLBL=0 PROTO=TCP SPT=50625 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 The destination ports and protocols vary, but these packets actually all come from the same network.
Now, can understand why these packets are rejected. The prefix in DST actually matches my IPv6 prefix which is assigned to the interface ppp0, but the interface identifier doesn't. And routing back through the same interface is neither desired nor allowed on my network: The relevant lines in shorewall6/interfaces and shorewall6/policy look like this: shorewall6/interfaces: net ppp0 dhcp,accept_ra=2,tcpflags,nosmurfs,rpfilter,sourceroute=0 shorewall6/policy: $FW net ACCEPT [...] net all DROP # THE FOLLOWING POLICY MUST BE LAST all all REJECT info So basically, these packets hit the all-all reject policy. What I would like to do however, is to drop these packets without logging (and I do not want to change my default policy for that). How can I match these packets? I have tried several approaches that all didn't work: 1) I added a policy that said: net net DROP Didn't work and also should be redundant due to the net-all drop rule. 2) I added rules in shorewall6/rules to match the source of the traffic (which are servers by a university in Munich that try to map/scan the IPv6 address space): DROP:none net:[2001:4ca0:108:42::]/64 all tcp 80 DROP:none net:[2001:4ca0:108:42::]/64 all tcp 443 DROP:none net:[2001:4ca0:108:42::]/64 all udp 443 DROP:none net:[2001:4ca0:108:42::]/64 all udp 53 DROP:none net:[2001:4ca0:108:42::]/64 all ipv6-icmp 128 I tried it in both ?SECTION NEW as well as ?SECTION ALL - didn't work. 3) I tried adding the source of these packets to my blacklist rules (shorewall6/blrules) in the same manner, and still they'd show up in my logs. So, I'm lost here. *Is it possible to somehow match these packets in order to drop them silently?* My preference would be to simply drop all packets coming from the net zone that would be forwarded back through the same interface. But if I have to specify the source, that would be ok as well. For reference I also include my traffic dispositions and log levels from my shorewall6 configuration file: grep -e LOG_LEVEL -e DISPOSITION shorewall6/shorewall6.conf BLACKLIST_LOG_LEVEL=info INVALID_LOG_LEVEL= MACLIST_LOG_LEVEL=info RELATED_LOG_LEVEL= RPFILTER_LOG_LEVEL=none SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info UNTRACKED_LOG_LEVEL= BLACKLIST_DISPOSITION=DROP INVALID_DISPOSITION=CONTINUE MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT SFILTER_DISPOSITION=DROP RPFILTER_DISPOSITION=DROP SMURF_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP UNTRACKED_DISPOSITION=CONTINUE I'd aprreciate if someone could point me in the right direction on how to get rid of these log messages. Thank you! Best regards, Timo _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
