Hi Tom, Tom Eastep schrieb am 23.08.2019 01:55:
> On 8/21/19 12:30 PM, Timo Sigurdsson wrote: > >>>> After upgrading to Debian Buster, I found a couple of log >>>> entries which look like this: net-fw DROP IN=eth0 OUT= >>>> MAC=[SNIP] SRC=[PUBLIC IP ADDR] DST=[IP OF $FW] LEN=44 TOS=0x00 >>>> PREC=0x00 TTL=63 ID=28969 DF PROTO=TCP SPT=41498 DPT=443 >>>> WINDOW=29200 RES=0x00 SYN URGP=0 >>> >>> >>> Your rule is limited to 5 connections per minute *from all >>> sources*. If you want a per-source-ip limit, you must change the >>> rule to: >>> >>> ACCEPT net $FW tcp,udp 443 - - s:5/min >>> >> >> You're right, I forgot about that even though that was an >> intentional decision when I configured the rules. Nevertheless, I >> still don't think that this is the issue here. I just checked my >> server logs again for the times around the dropped packets. There >> were *no* connections around these times. In the case of the log >> entry that I've shown above, the last connection seen by the daemon >> listening on port 443 was about 5.5 hours before the dropped packet >> and the next one was almost 2 hours after the dropped packet >> (obviously not a busy server ;)). The shortest timespan between a >> connection and a dropped packet in the last two weeks was 30 >> minutes. And again, rate limiting as the cause of the issue would >> not explain why I haven't seens such dropped packets before with >> the same configuration. >> > > If you switch to using the legacy backend, does the problem go away? > > The packet shown above has only the SYN flag set, so the problem isn't > an invalid combination of TCP flags. The problem did go away. Yet, I'm not sure yet, whether that was really because of the switch from iptables-nft to iptables-legacy. The reason I'm saying this is that before I switched to iptables-legacy, I didn't see such packets anymore for three days. So I will give iptables-nft another try. I'm just not sure what could have caused this change in behavior since the only meaningful change in the meantime I remember was a kernel upgrade. So, I will test again with iptables-nft and see what happens. If I don't bring it up again on the mailinglist, consider this issue solved. I did find two other issues though - I will send separate emails for those, however, so this thread doesn't get all too complicated with different issues. Thanks, Timo _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
