On 3/23/2020 11:40 AM, Vieri Di Paola wrote:
Hi,
I set up my Shorewall gateway with the following logic:
- accept incoming connections for ports tcp 443, 80, and several others.
- all other connection attempts to other ports are dropped and the
source IP address is included in an ipset blacklist so subsequent
connection attempts even to "legit" open ports are dropped for x
amount of time.
In general, this works fine.
However, once in a while I get what seem to be false positives.
For instance a known user usually connects fine to port 443 with an
external IP address (1.2.3.4). Somehow, at some point Shorewall
reports the following line in the log:
IN=ppp3 OUT= MAC= SRC=1.2.3.4 DST=4.3.2.1 LEN=72 TOS=0x00 PREC=0x00
TTL=48 ID=46761 DF PROTO=UDP SPT=41152 DPT=58129 LEN=52 MARK=0x3
Looks like you are showing truncated udp log when you are talking about
tcp ports?
The user has no idea what this UDP connection is for, and I haven't
found any program using this port (58129 is supposed to be in the
dynamic range).
What dinamic range and are you sure of this?
--
Matt Darfeuille <m...@shorewall.org>
Shorewall Project Committee, one of four core members
https://sourceforge.net/p/shorewall/mailman/message/36596609/
shorewall.org
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
