After implementing this mangle rule yesterday, today I have:
Chain tcpre (1 references)
pkts bytes target prot opt in out source destination
109K 4632K DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcpmss match !536:65535 /* TCP
SACK */
Has anyone else seen TCP SACK packets?
Bill
On 6/21/2019 6:24 AM, Bill Shirley wrote:
I have an older version of Shorewall:
shorewall-4.6.11.1-2.fc22.noarch
I found this article (#2. Firewall Rules):
https://isc.sans.edu/forums/diary/What+You+Need+To+Know+About+TCP+SACK+Panic/25046/
I add this to /etc/shorewall/mangle:
?COMMENT TCP SACK
INLINE:P - - tcp { state=NEW } ; -j DROP -m
tcpmss ! --mss 536:65535
Which yields:
Chain tcpre (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate
NEW tcpmss match !536:65535 /* TCP SACK */
Bill
On 6/20/2019 3:16 PM, Tom Eastep wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 6/19/19 3:21 PM, Steve Bluck wrote:
Hi All, I'm not in a position to patch some public servers but I
can add firewall rules. The original Netflix report
(https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md_
) has a workaround to block connections with low MSSs for iptables
but I'm at a loss to translate to Shorewall. The filters are:
iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP ip6tables -A
INPUT -p tcp -m tcpmss --mss 1:500 -j DROP Would anybody be able to
let me know how to craft as a Shorewall rule?
DROP net all ;;+ -p tcp -m tcpmss --mss 1:500
Place that rule in both /etc/shorewall/rules and /etc/shorewall6/rules.
- -Tom
- -- Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl0L23UACgkQluaz8kI6
TRBP5w//cnz6E0+NGdjJNeHQMLfCF6Azi1uIIq86/H3yyN1vgyhjN8kIgGJPnq6t
v34PminLbndfkbB5rMM3FcMfBDiVx2s9BRbgr2N94oYsIh7frfKJ0wuu4pBapRYn
bjczBFvVkhaxbpNj5bDdbS84GYcbtOHCEZme7IaO1XjKxTKLRpeqsfICeQt9kyHP
FSXNeouNSrghDZV4WLr2Rr1lE6yp7v/ppof4OM+5CrkCwBtirK7PEYDBDbGjCHPR
re6AFToJK87Vur1G7QmtEI3AWwRr39V5CFmrS8F7YIxU3jL7rdC676Vs9HwW0Jaa
QAYKMKSTEwUW4j4Y87t1DZXNiXa2Gc0aKV7Yx7UrLXlsxCzkKLpWpZz8lL8abIBF
km18c2DsWaXY8SktcnkmJWfJhBeJXjDNK7wVE7ZLdrZvbDgI0Y8BlhTaZRsanfZd
1m+bB30L+4V0tgbQuM5UyNL/QSuouatA+wCpqbsj8ml7D1BdJbc62KA9149nzeND
o8IpeJgwfw1JTOd5Fnf/+9z8joRdO27yHRwftBA553m0Bh1ufaTtF3jQPz+6hF09
WNcMp1GOUhNE46Mod3aN4lp8WkMNXsTeyVk2MLSMlpumikeKipHGE0jkvcXCbW+8
yfz37oMiSZScm+n4tgCEaTxgY3VyG0oG8iI6M83cR0PIaZt0sW4=
=E0s6
-----END PGP SIGNATURE-----
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
