Hi,
I believe this topic was dealt with some time ago here:
https://sourceforge.net/p/shorewall/mailman/shorewall-users/thread/CABLYT9j-KvM0JEwxoZ3xppoL5yxZqQe6qyEj0_wJJ8eecyE3nA%40mail.gmail.com/#msg37123538
Here is my rules file:
# cat /etc/shorewall/rules
?SECTION ALL
?IF $FW_TYPE
INCLUDE /opt/fw/${FW_TYPE}_extra/rules.SECTION_ALL.FHM
?ENDIF
?SECTION ESTABLISHED
?IF $FW_TYPE
INCLUDE /opt/fw/${FW_TYPE}_extra/rules.SECTION_ESTABLISHED.FHM
?ENDIF
?SECTION RELATED
?IF $FW_TYPE
INCLUDE /opt/fw/${FW_TYPE}_extra/rules.SECTION_RELATED.FHM
?ENDIF
?SECTION INVALID
# accept FIN and RST to avoid DROP messages when conntrack entries are
deleted (need to be in NEW and INVALID)
FIN(ACCEPT) { SOURCE=all, DEST=all }
RST(ACCEPT) { SOURCE=all, DEST=all }
?SECTION UNTRACKED
?SECTION NEW
# accept FIN and RST to avoid DROP messages when conntrack entries are
deleted (need to be in NEW and INVALID)
FIN(ACCEPT) { SOURCE=all, DEST=all }
RST(ACCEPT) { SOURCE=all, DEST=all }
?IF $FW_TYPE
INCLUDE /opt/fw/${FW_TYPE}_extra/rules.SECTION_NEW.FHM
?ENDIF
However, I'm still getting messages like this one:
kernel: Shorewall:wan-lan1:DROP:IN=wan OUT=lan.1
MAC=ac:1f:6b:9b:85:06:30:85:a9:8e:b6:ab:08:00 SRC=52.114.128.43
DST=10.215.246.222 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=13414 DF
PROTO=TCP SPT=443 DPT=50137 WINDOW=187 RES=0x00 ACK URGP=0
Please note that lan.1 to wan HTTPS traffic on port 443 is allowed.
I'm worried that these dropped ACKs may be causing some specific
software failures.
How can I make sure they are not dropped?
Or are they normal side-effects if the ACK came in way too late?
Vieri
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
