Re: [Shorewall-users] Random DROPs

Tue, 21 Apr 2020 09:46:26 -0700 

On 4/21/20 9:13 AM, Filippo Carletti wrote:
> I'm trying to diagnose a random DROP of some packets.
> Those packets are coming from the net and should be forwarded to a
> host in loc with this shorewall-rules line:
> 
> DNAT-   net 192.168.5.252:25    tcp 25  -   80.17.99.74
> 
> Packets usually reach 192.168.5.252, but, many times a day, I find
> lines like the following logged:
> 
> Mar  3 14:48:11 nsec-primary kernel: Shorewall:net2fw:DROP:IN=en4 OUT=
> MAC=08:35:71:07:23:84:54:4b:8c:95:74:29:08:00 SRC=167.89.11.190
> DST=80.17.99.74 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=54071 DF PROTO=TCP
> SPT=36191 DPT=25 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x300
> 
> As you can see, the chain is net2fw, but the packet should have been DNATed.
> 
> I have a trace for the same packet:
> 
> Mar  3 14:48:11 nsec-primary kernel: TRACE: mangle:INPUT:policy:1
> IN=en4 OUT= MAC=08:35:71:07:23:84:54:4b:8c:95:74:29:08:00
> SRC=167.89.11.190 DST=80.17.99.74 LEN=40 TOS=0x00 PREC=0x00 TTL=50
> ID=54071 DF PROTO=TCP SPT=36191 DPT=25 SEQ=3789610332 ACK=0 WINDOW=0
> RES=0x00 RST URGP=0 MARK=0x300
> 
> When tracing, I also found packets that were correctly forwarded.
> Here's the trace for reference:
> 
> Mar  3 14:48:11 nsec-primary kernel: TRACE: mangle:FORWARD:rule:2
> IN=en4 OUT=en0 MAC=08:35:71:07:23:84:54:4b:8c:95:74:29:08:00
> SRC=167.89.11.190 DST=192.168.5.252 LEN=40 TOS=0x00 PREC=0x00 TTL=49
> ID=54072 DF PROTO=TCP SPT=36191 DPT=25 SEQ=3789610333 ACK=0 WINDOW=0
> RES=0x00 RST URGP=0 MARK=0x300
> 
> Looking at the packet ID (54072), it's a retransmission.
> 
> It seems more a connection tracking problem, but I'm asking here
> looking for some advice on further debugging this issue.
> 
> Environment: CentOS 7, kernel 3.10.0-1062.9.1.el7.x86_64,
> shorewall-5.1.10.2-1.el7.noarch
> 

These RST packets are likely arriving after the relevant conntrack entry
has been torn down. I simply DROP (silently) all RST packets in the NEW
and INVALID states.

        RST(DROP)       all     all

-Tom
-- 
Tom Eastep        \ Q: What do you get when you cross a mobster
Shoreline,         \    with an international standard?
Washington, USA     \ A: Someone who makes you an offer you
http://shorewall.org \    can't understand
                      \________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to