Hi Tom, Tom Eastep schrieb am 15.09.2019 00:43:
> On 9/14/19 8:35 AM, Tom Eastep wrote: >> On 9/14/19 12:45 AM, Timo Sigurdsson wrote: >>> There are a couple of areas that might have possibly changed: >>> >>> 1) shorewall's logging behavior: >>> Maybe these packets were dropped all along but I never saw them in the logs? >>> When I upgraded the machine I updated the configuration accordingly. I >>> didn't >>> change the log levels but I did update the default actions/macros like this: >>> -DROP_DEFAULT=Drop >>> -REJECT_DEFAULT=Reject >>> +BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" >>> +DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" >>> +REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)" >>> >> >> That is the cause. The deprecated Drop and Reject actions silently >> dropped these "late DNS reply" packets. To avoid masking a DDOS attack >> using such packets, they are now logged (such a DDOS attack has actually >> been observed). When seen in small numbers, they can be safely ignored. >> > > I should add that Drop and Reject, also dropped TCP packets that were in > the NEW conntrack state but were not SYN packets; that is why you are > seeing the TCP packets being logged. Thanks, that clears is up. The rejected packets are few, so nothing to worry about for me. Regards, Timo _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
