On 10/09/2018 01:34 PM, Timo Sigurdsson wrote: > Hi, > > I use shorewall 5.0.15.6 on Debian Stretch in a dual stack setup. On a > reugular basis, I get a bunch of the following messages in my log files (my > shorewall log prefix is just FW): > kernel: [102654.492757] FW:FORWARD:REJECT:IN=ppp0 OUT=ppp0 MAC= > SRC=2001:4ca0:0108:0042:0000:0080:0006:0009 > DST=2001:14c9:1131:1320:8b80:2765:3c6a:2f19 LEN=80 TC=0 HOPLIMIT=244 > FLOWLBL=0 PROTO=TCP SPT=50625 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 > The destination ports and protocols vary, but these packets actually all come > from the same network. > > Now, can understand why these packets are rejected. The prefix in DST > actually matches my IPv6 prefix which is assigned to the interface ppp0, but > the interface identifier doesn't. And routing back through the same interface > is neither desired nor allowed on my network: > > The relevant lines in shorewall6/interfaces and shorewall6/policy look like > this: > shorewall6/interfaces: > net ppp0 > dhcp,accept_ra=2,tcpflags,nosmurfs,rpfilter,sourceroute=0 > > shorewall6/policy: > $FW net ACCEPT > [...] > net all DROP > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info > > So basically, these packets hit the all-all reject policy. What I would like > to do however, is to drop these packets without logging (and I do not want to > change my default policy for that). How can I match these packets? I have > tried several approaches that all didn't work: > > 1) I added a policy that said: > net net DROP > Didn't work and also should be redundant due to the net-all drop rule. > > 2) I added rules in shorewall6/rules to match the source of the traffic > (which are servers by a university in Munich that try to map/scan the IPv6 > address space): > DROP:none net:[2001:4ca0:108:42::]/64 all tcp 80 > DROP:none net:[2001:4ca0:108:42::]/64 all tcp 443 > DROP:none net:[2001:4ca0:108:42::]/64 all udp 443 > DROP:none net:[2001:4ca0:108:42::]/64 all udp 53 > DROP:none net:[2001:4ca0:108:42::]/64 all ipv6-icmp 128 > I tried it in both ?SECTION NEW as well as ?SECTION ALL - didn't work. > > 3) I tried adding the source of these packets to my blacklist rules > (shorewall6/blrules) in the same manner, and still they'd show up in my logs. > > > So, I'm lost here. *Is it possible to somehow match these packets in order to > drop them silently?* My preference would be to simply drop all packets coming > from the net zone that would be forwarded back through the same interface. > But if I have to specify the source, that would be ok as well. > > For reference I also include my traffic dispositions and log levels from my > shorewall6 configuration file: > grep -e LOG_LEVEL -e DISPOSITION shorewall6/shorewall6.conf > BLACKLIST_LOG_LEVEL=info > INVALID_LOG_LEVEL= > MACLIST_LOG_LEVEL=info > RELATED_LOG_LEVEL= > RPFILTER_LOG_LEVEL=none > SFILTER_LOG_LEVEL=info > SMURF_LOG_LEVEL=info > TCP_FLAGS_LOG_LEVEL=info > UNTRACKED_LOG_LEVEL= > BLACKLIST_DISPOSITION=DROP > INVALID_DISPOSITION=CONTINUE > MACLIST_DISPOSITION=REJECT > RELATED_DISPOSITION=ACCEPT > SFILTER_DISPOSITION=DROP > RPFILTER_DISPOSITION=DROP > SMURF_DISPOSITION=DROP > TCP_FLAGS_DISPOSITION=DROP > UNTRACKED_DISPOSITION=CONTINUE > > I'd aprreciate if someone could point me in the right direction on how to get > rid of these log messages. Thank you! >
a) Set the 'routeback' option on ppp0 in /etc/shorewall/interfaces. b) Add your proposed net->net DROP policy BEFORE your current net->all policy. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users