On Thu, Apr 18, 2019 at 5:32 PM Tom Eastep <teas...@shorewall.net> wrote:
>
> > kernel: Shorewall:polbl:add2polbl:IN=ppp3 OUT= MAC= SRC=31.13.83.2
> > DST=MY_PUBLIC_IP_3 LEN=40 TOS=0x00 PREC=0x00 TTL=88 ID=48428 DF
> > PROTO=TCP SPT=443 DPT=44270 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x3
> > kernel: Shorewall:polbl:add2polbl:IN=ppp3 OUT= MAC= SRC=40.67.251.132
> > DST=MY_PUBLIC_IP_3 LEN=382 TOS=0x00 PREC=0x00 TTL=111 ID=22075 DF
> > PROTO=TCP SPT=443 DPT=49603 WINDOW=7431 RES=0x00 ACK PSH URGP=0
> > MARK=0x3
> > kernel: Shorewall:polbl:add2polbl:IN=ppp3 OUT= MAC= SRC=149.154.167.92
> > DST=MY_PUBLIC_IP_3 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=29469 DF
> > PROTO=TCP SPT=443 DPT=51869 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x3
> >
> > This is supposed to be "accepted" HTTPS traffic.
> >
>
> I deal with those as follows:
>
> ?SECTION INVALID
>
> RST(ACCEPT) { SOURCE=all, DEST=all }
> FIN(ACCEPT) { SOURCE=all, DEST=all }
> DROP { SOURCE=net, DEST=all }
Will these packets enter the INVALID state? Will they enter it "fast
enough" so there's no significant lag?
Any foreseeable side-effects? If not, could it be included by default
in the shorewall config examples?
Why add DROP in the last line? Isn't it implicit with whatever is in "policy"?
Also, in my specific example, could I use the following instead, or
would it be nonsense?
?SECTION INVALID
RST(ACCEPT) { SOURCE=net1, DEST=loc }
RST(ACCEPT) { SOURCE=net2, DEST=loc }
RST(ACCEPT) { SOURCE=net3, DEST=loc }
FIN(ACCEPT) { SOURCE=net1, DEST=loc }
FIN(ACCEPT) { SOURCE=net2, DEST=loc }
FIN(ACCEPT) { SOURCE=net3, DEST=loc }
DROP { SOURCE=net1, DEST=all }
DROP { SOURCE=net2, DEST=all }
DROP { SOURCE=net3, DEST=all }
Vieri
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
