On Wed, Apr 17, 2019 at 10:27 PM Tom Eastep <teas...@shorewall.net> wrote: > > > I exclude based on the source IP address to avoid false positives in > > the following logic in my rules file: > > Almost at the top of the file I DROP connections from net* hosts with > > src IP addresses in the POL_BL ipset. > > Then follow ACCEPT / DNAT rules all along the file until I at the very > > bottom I ADD(src) to POL_BL. However, I want to avoid doing so if the > > source port is known valid traffic originating from within my lans > > (HTTP, HTTPS, etc). > > Does that actually match any traffic? The reason that I ask is that if > the packet is part of an existing connection, it will be ACCEPTED by a > earlier rule that matches conntrack state ESTABLISHED.
If I use this action at the end of my rules file: ADD(POL_BL:src):info:polbl,add2polbl net1,net2,net3:!+POL_BL,+GLOBAL_WL,+NORMAL_WL all instead of this one: ADD(POL_BL:src):info:polbl,add2polbl net1,net2,net3:!+POL_BL,+GLOBAL_WL,+NORMAL_WL all tcp,udp - !+POL_BL_EXCL where POL_BL_EXCL contains port 443 then I see the following in my log (note SPT=443): kernel: Shorewall:polbl:add2polbl:IN=ppp3 OUT= MAC= SRC=31.13.83.2 DST=MY_PUBLIC_IP_3 LEN=40 TOS=0x00 PREC=0x00 TTL=88 ID=48428 DF PROTO=TCP SPT=443 DPT=44270 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x3 kernel: Shorewall:polbl:add2polbl:IN=ppp3 OUT= MAC= SRC=40.67.251.132 DST=MY_PUBLIC_IP_3 LEN=382 TOS=0x00 PREC=0x00 TTL=111 ID=22075 DF PROTO=TCP SPT=443 DPT=49603 WINDOW=7431 RES=0x00 ACK PSH URGP=0 MARK=0x3 kernel: Shorewall:polbl:add2polbl:IN=ppp3 OUT= MAC= SRC=149.154.167.92 DST=MY_PUBLIC_IP_3 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=29469 DF PROTO=TCP SPT=443 DPT=51869 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x3 This is supposed to be "accepted" HTTPS traffic. Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
