On 12/9/20 6:10 AM, kAja Ziegler wrote: > Hello Shorewall users, > > - interface: > net eth0 > arp_filter,dhcp,logmartians,nosmurfs,routefilter=2,tcpflags > > - rules: > ?SECTION NEW > HTTP(ACCEPT) net fw > HTTPS(ACCEPT) net fw > IMAP(ACCEPT) net fw > IMAPS(ACCEPT) net fw > POP3(ACCEPT) net fw > POP3S(ACCEPT) net fw > SMTP(ACCEPT) net fw > SMTPS(ACCEPT) net fw > Submission(ACCEPT) net fw > > - but logs contain outgoing REJECT messages like these: > > - with flags ACK > kernel: SW4:fw-net:REJECT:IN= OUT=eth0 SRC=10.1.2.3 DST=31.x.y.z > LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=57180 DF PROTO=TCP SPT=110 > DPT=22390 WINDOW=211 RES=0x00 ACK URGP=0 > kernel: SW4:fw-net:REJECT:IN= OUT=eth0 SRC=10.1.2.3 DST=89.x.y.z > LEN=1384 TOS=0x00 PREC=0x00 TTL=64 ID=35530 DF PROTO=TCP SPT=443 > DPT=13007 WINDOW=386 RES=0x00 ACK URGP=0 > > - with flags ACK FIN > kernel: SW4:fw-net:REJECT:IN= OUT=eth0 SRC=10.1.2.3 DST=89.x.y.z LEN=40 > TOS=0x00 PREC=0x00 TTL=64 ID=14955 DF PROTO=TCP SPT=443 DPT=20194 > WINDOW=211 RES=0x00 ACK FIN URGP=0 > > - with flags ACK PSH > kernel: SW4:fw-net:REJECT:IN= OUT=eth0 SRC=10.1.2.3 DST=89.x.y.z LEN=71 > TOS=0x00 PREC=0x00 TTL=64 ID=63142 DF PROTO=TCP SPT=443 DPT=32827 > WINDOW=279 RES=0x00 ACK PSH URGP=0 > kernel: SW4:fw-net:REJECT:IN= OUT=eth0 SRC=10.1.2.3 DST=78.x.y.z LEN=412 > TOS=0x00 PREC=0x00 TTL=64 ID=28545 DF PROTO=TCP SPT=993 DPT=40937 > WINDOW=219 RES=0x00 ACK PSH URGP=0 > > - with flags ACK PSH FIN > kernel: SW4:fw-net:REJECT:IN= OUT=eth0 SRC=10.194.115.57 DST=89.x.y.z > LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=36772 DF PROTO=TCP SPT=443 DPT=43229 > WINDOW=368 RES=0x00 ACK PSH FIN URGP=0 > kernel: SW4:fw-net:REJECT:IN= OUT=eth0 SRC=10.194.115.57 DST=89.x.y.z > LEN=169 TOS=0x00 PREC=0x00 TTL=64 ID=53920 DF PROTO=TCP SPT=993 > DPT=13648 WINDOW=227 RES=0x00 ACK PSH FIN URGP=0 > kernel: SW4:fw-net:REJECT:IN= OUT=eth0 SRC=10.194.115.57 DST=37.x.y.z > LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=44761 DF PROTO=TCP SPT=995 DPT=10384 > WINDOW=219 RES=0x00 ACK PSH FIN URGP=0 > > - with flags RST > kernel: SW4:fw-net:REJECT:IN= OUT=eth0 SRC=10.1.2.3 DST=37.x.y.z LEN=40 I > TOS=0x00 PREC=0x00 TTL=64 ID=59890 DF PROTO=TCP SPT=443 DPT=54679 > WINDOW=0 RES=0x00 RST URGP=0 > kernel: SW4:fw-net:REJECT:IN= OUT=eth0 SRC=10.1.2.3 DST=37.x.y.z LEN=40 > TOS=0x00 PREC=0x00 TTL=64 ID=3610 DF PROTO=TCP SPT=993 DPT=37641 > WINDOW=0 RES=0x00 RST URGP=0 > > > What could be the problem? In my opinion, these are not invalid packets. > Some problem with connection tracking? > > But I have to admit, I'm using an old version of Shorewall 5.1.10.2. > > Thanks in advance for the help and with best regards
I work around this as follows:
BLACKLIST_DEFAULT="NotSyn(DROP):$LOG_LEVEL,FIN(ACCEPT),RST(ACCEPT)"
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),FIN(ACCEPT),RST(ACCEPT)"
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP),FIN(ACCEPT),RST(ACCEPT)"
I haven't seen any issues with ACK PSH packets, but you could handle
those by adding a ACKPSH action and adding its invocation
("ACKPSH(ACCEPT)") to the above settings.
/etc/shorewall/actions:
ACKPSH inline
/etc/shorewall/action.ACKPSH
DEFAULTS ACCEPT,-
@1 - - ;;+ -p 6 --tcp-flags ACK,PSH ACK,PSH
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
OpenPGP_0x96E6B3F2423A4D10.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
