-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 8/21/19 12:30 PM, Timo Sigurdsson wrote: >>> After upgrading to Debian Buster, I found a couple of log >>> entries which look like this: net-fw DROP IN=eth0 OUT= >>> MAC=[SNIP] SRC=[PUBLIC IP ADDR] DST=[IP OF $FW] LEN=44 TOS=0x00 >>> PREC=0x00 TTL=63 ID=28969 DF PROTO=TCP SPT=41498 DPT=443 >>> WINDOW=29200 RES=0x00 SYN URGP=0 >> >> >> Your rule is limited to 5 connections per minute *from all >> sources*. If you want a per-source-ip limit, you must change the >> rule to: >> >> ACCEPT net $FW tcp,udp 443 - - s:5/min >> > > You're right, I forgot about that even though that was an > intentional decision when I configured the rules. Nevertheless, I > still don't think that this is the issue here. I just checked my > server logs again for the times around the dropped packets. There > were *no* connections around these times. In the case of the log > entry that I've shown above, the last connection seen by the daemon > listening on port 443 was about 5.5 hours before the dropped packet > and the next one was almost 2 hours after the dropped packet > (obviously not a busy server ;)). The shortest timespan between a > connection and a dropped packet in the last two weeks was 30 > minutes. And again, rate limiting as the cause of the issue would > not explain why I haven't seens such dropped packets before with > the same configuration. > If you switch to using the legacy backend, does the problem go away? The packet shown above has only the SYN flag set, so the problem isn't an invalid combination of TCP flags. - -Tom - -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl1fK4AACgkQluaz8kI6 TRDa6g/+PnzsT8vT/pg123kqhrfyQdDKumj3t09qhSOGP2umbEXbsXP+TSx36alS 8kk17LYtlWH4KBDIuIJpWx8R9dkxLO0637nj2VcMCzKkcors86sf8G94XpU2PXCk U02IGhku1Xb1Ppm0AxViOp/BwNJZp49XhUNZZPmMRFTW/MUqcOnScTMA/NPLxcIS gJFUoaNyVjmE+vx+UdkRrA0QMTIxgXWDv3Qd040YJRJ0/KaL8crNmcCMdDQsY17V XQNxIXJSYzRRDi/ziGSZlHkQQlq5Oaj92oZTlywoDkWr1yHVH8rWtzMA+YWoqBBR qbXN06V0UbRoSw7b3AT5Jrb4PYmOkV1ujFeUrE7zrHq6zc+8RnAwuMw/rADW1FEJ 8c1Lq5MznsynEagpharg+3IbDeoK8fDLoRwQR+RjNO03rSx/5wQ6YHQftGedPGRB 2zFMEfHRgnaHUYgJL3Q5ZWGtgKuNmEbXlCoQkJ0MMr9BsTwukLvEbVcbUVGVu5KT kjsl5vzCo6QHL3xCmUMZtlECEI9emMT8vgBrGTdjuzjoPpkftSL5p6tWwjzqwq8Y CVCFlZ0vdzEgS2Likq05fXwXvL11kEvXdYbZbbT+ZIEbORfKijC+4WzUfHxebGyY dYHvEq6R011LZxgL7a95U6+SvGha/f5FTtI8jBNiogdJbt+kAi4= =DpJ/ -----END PGP SIGNATURE----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
