On 9/14/19 8:35 AM, Tom Eastep wrote: > On 9/14/19 12:45 AM, Timo Sigurdsson wrote: >> There are a couple of areas that might have possibly changed: >> >> 1) shorewall's logging behavior: >> Maybe these packets were dropped all along but I never saw them in the logs? >> When I upgraded the machine I updated the configuration accordingly. I >> didn't change the log levels but I did update the default actions/macros >> like this: >> -DROP_DEFAULT=Drop >> -REJECT_DEFAULT=Reject >> +BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" >> +DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" >> +REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)" >> > > That is the cause. The deprecated Drop and Reject actions silently > dropped these "late DNS reply" packets. To avoid masking a DDOS attack > using such packets, they are now logged (such a DDOS attack has actually > been observed). When seen in small numbers, they can be safely ignored. >
I should add that Drop and Reject, also dropped TCP packets that were in the NEW conntrack state but were not SYN packets; that is why you are seeing the TCP packets being logged. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
