On 1/20/19 1:15 PM, C. Cook wrote: > > Thanks Tom. > > >>> Suddenly I started getting Shorewall DROPs on my LAN members from >>> various _public_ IPs to ports 80, 443, and so on! This has never >>> happened in 10+ years of using Shorewall. I realized that it must be my >>> Frontier Communications fiber ONT that has 10.1.1.1 and it's letting >>> everyone and their brother into my LAN. >> Internet hosts can't send requests to your local LAN members, without >> there being DNAT somewhere along the line. Are you sure that you have >> the correct DNAT rules in place since you have renumbered your local subnet? > > These are my only DNATs in the router: > > Web(DNAT) net dmz:10.1.10.2 - - > - - 3/sec:10 > Web(DNAT) local dmz:10.1.10.2 - - > - ð0 > > DNAT net local:10.1.2.1 udp wgin - > # WireGuard Port In > > ... and yet somehow several public IPs were trying 80 and 443 on > 10.1.2.2, given the Shorewall DROPs on that machine. Maybe they were > coming in through my phone on the VPN server? DNAT for that is above, > and in the WG server: > > ACCEPT net:10.1.2.0/24,10.1.5.0/24 outWG tcp > backups,dash,ftp,ftps,git,hkp,http,https,ircd,ircmoz,ircssl,imaps,radio,remote,rtsp,smtp,submission,svn,whois,xmpp-client > > - > ACCEPT net:10.1.2.0/24,10.1.3.1/32,10.1.5.0/24 $FW udp domain,ntp - > > I had the phone's AFWall+ on with only relevant apps enabled. > > >> >>> So now I have to change everything to something else. But I also want >>> to exclude any possibility of outsiders getting in. Studying the docs >>> it seems the right way is in the router: >>> >>> ?SECTION ALL >>> DROP all >>> local:10.0.0.0/8,local:172.0.0.0/8,local:192.168.0.0/16 >>> all all >>> >>> Am I on the right track here? >> The above will break all connections that you allow from the net via >> DNAT. What policy/rules do you currently have in place from the internet >> zone to your local zone? > > lol, Ok so much for my ingenious interpretation of the docs... > > $FW all REJECT info(uid,tcp_options) > net all DROP info(uid,tcp_options) > inWG all DROP info(uid,tcp_options) > outWG all DROP info(uid,tcp_options) > #local all REJECT info(uid,tcp_options) > all all REJECT info(uid,tcp_options) > >> Have you looked at these requests as they enter your firewall using a >> packet sniffer (tcpdump -ni <interface> dst host 10.1.1.0/24)? If the >> above produces no output while your local systems are logging DROPs, >> then the problem is on your own firewall. > > I didn't. I immediately got on changing my subnets and trying to > figure out how to block everything but. > Strangers are still getting in to the interior of my network! How is this possible?
Wed Jan 23 15:28:18 2019] net-fw DROP IN=wlp3s0 OUT= MAC=34:02:86:43:de:1f:52:54:00:3e:56:2a:08:00 SRC=95.163.255.192 DST=10.2.10.2 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=28760 DF PROTO=TCP SPT=60772 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AAC0174E60000000001030307) [Wed Jan 23 15:28:19 2019] net-fw DROP IN=wlp3s0 OUT= MAC=34:02:86:43:de:1f:52:54:00:3e:56:2a:08:00 SRC=95.163.255.192 DST=10.2.10.2 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=28761 DF PROTO=TCP SPT=60772 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AAC0178D00000000001030307) [Wed Jan 23 15:28:21 2019] net-fw DROP IN=wlp3s0 OUT= MAC=34:02:86:43:de:1f:52:54:00:3e:56:2a:08:00 SRC=95.163.255.192 DST=10.2.10.2 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=28762 DF PROTO=TCP SPT=60772 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AAC0180A40000000001030307) [Wed Jan 23 15:28:25 2019] net-fw DROP IN=wlp3s0 OUT= MAC=34:02:86:43:de:1f:52:54:00:3e:56:2a:08:00 SRC=95.163.255.192 DST=10.2.10.2 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=28763 DF PROTO=TCP SPT=60772 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AAC0190500000000001030307) [Wed Jan 23 15:28:33 2019] net-fw DROP IN=wlp3s0 OUT= MAC=34:02:86:43:de:1f:52:54:00:3e:56:2a:08:00 SRC=95.163.255.192 DST=10.2.10.2 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=28764 DF PROTO=TCP SPT=60772 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AAC01AFA00000000001030307) [Wed Jan 23 15:28:42 2019] net-fw DROP IN=wlp3s0 OUT= MAC=34:02:86:43:de:1f:52:54:00:3e:56:2a:08:00 SRC=37.49.229.107 DST=10.2.10.2 LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=12605 PROTO=TCP SPT=58028 DPT=443 WINDOW=1024 RES=0x00 SYN URGP=0 [Wed Jan 23 15:28:49 2019] net-fw DROP IN=wlp3s0 OUT= MAC=34:02:86:43:de:1f:52:54:00:3e:56:2a:08:00 SRC=95.163.255.181 DST=10.2.10.2 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=42737 DF PROTO=TCP SPT=60561 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AAC01EE110000000001030307) [Wed Jan 23 15:28:50 2019] net-fw DROP IN=wlp3s0 OUT= MAC=34:02:86:43:de:1f:52:54:00:3e:56:2a:08:00 SRC=95.163.255.181 DST=10.2.10.2 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=42738 DF PROTO=TCP SPT=60561 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AAC01F1FC0000000001030307) [Wed Jan 23 15:28:52 2019] net-fw DROP IN=wlp3s0 OUT= MAC=34:02:86:43:de:1f:52:54:00:3e:56:2a:08:00 SRC=95.163.255.181 DST=10.2.10.2 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=42739 DF PROTO=TCP SPT=60561 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AAC01F9D00000000001030307) [Wed Jan 23 15:28:56 2019] net-fw DROP IN=wlp3s0 OUT= MAC=34:02:86:43:de:1f:52:54:00:3e:56:2a:08:00 SRC=95.163.255.181 DST=10.2.10.2 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=42740 DF PROTO=TCP SPT=60561 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AAC0209780000000001030307) [Wed Jan 23 15:29:04 2019] net-fw DROP IN=wlp3s0 OUT= MAC=34:02:86:43:de:1f:52:54:00:3e:56:2a:08:00 SRC=95.163.255.181 DST=10.2.10.2 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=42741 DF PROTO=TCP SPT=60561 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AAC0228C00000000001030307)
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
