Re: [Shorewall-users] inverted port list

Thu, 18 Apr 2019 08:33:08 -0700 

On 4/18/19 6:59 AM, Vieri Di Paola wrote:
> On Wed, Apr 17, 2019 at 10:27 PM Tom Eastep <teas...@shorewall.net> wrote:
>>
>>> I exclude based on the source IP address to avoid false positives in
>>> the following logic in my rules file:
>>> Almost at the top of the file I DROP connections from net* hosts with
>>> src IP addresses in the POL_BL ipset.
>>> Then follow ACCEPT / DNAT rules all along the file until I at the very
>>> bottom I ADD(src) to POL_BL. However, I want to avoid doing so if the
>>> source port is known valid traffic originating from within my lans
>>> (HTTP, HTTPS, etc).
>>
>> Does that actually match any traffic? The reason that I ask is that if
>> the packet is part of an existing connection, it will be ACCEPTED by a
>> earlier rule that matches conntrack state ESTABLISHED.
> 
> 
> If I use this action at the end of my rules file:
> 
> ADD(POL_BL:src):info:polbl,add2polbl
> net1,net2,net3:!+POL_BL,+GLOBAL_WL,+NORMAL_WL   all
> 
> instead of this one:
> 
> ADD(POL_BL:src):info:polbl,add2polbl
> net1,net2,net3:!+POL_BL,+GLOBAL_WL,+NORMAL_WL   all     tcp,udp -
>  !+POL_BL_EXCL
> 
> where POL_BL_EXCL contains port 443 then I see the following in my log
> (note SPT=443):
> 
> kernel: Shorewall:polbl:add2polbl:IN=ppp3 OUT= MAC= SRC=31.13.83.2
> DST=MY_PUBLIC_IP_3 LEN=40 TOS=0x00 PREC=0x00 TTL=88 ID=48428 DF
> PROTO=TCP SPT=443 DPT=44270 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x3
> kernel: Shorewall:polbl:add2polbl:IN=ppp3 OUT= MAC= SRC=40.67.251.132
> DST=MY_PUBLIC_IP_3 LEN=382 TOS=0x00 PREC=0x00 TTL=111 ID=22075 DF
> PROTO=TCP SPT=443 DPT=49603 WINDOW=7431 RES=0x00 ACK PSH URGP=0
> MARK=0x3
> kernel: Shorewall:polbl:add2polbl:IN=ppp3 OUT= MAC= SRC=149.154.167.92
> DST=MY_PUBLIC_IP_3 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=29469 DF
> PROTO=TCP SPT=443 DPT=51869 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x3
> 
> This is supposed to be "accepted" HTTPS traffic.
> 

I deal with those as follows:

?SECTION INVALID

RST(ACCEPT)     { SOURCE=all, DEST=all }
FIN(ACCEPT)     { SOURCE=all, DEST=all }
DROP            { SOURCE=net, DEST=all }

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to