Hi, the one message you included is a normal response message from your web server to the client. The client (some random user on the Internet) has made a request with destination port 443 and a random source port, 37615. Apache replied with source port 443 and destination port 37615, that is completely normal.
With such limited information we can't see why there is a REJECT, plus you say the web server is working fine, so there is something else going on. Some comments: (1) It's recommended to use HTTP(ACCEPT) and HTTPS(ACCEPT) rather than Web(ACCEPT) which just combines the two. (2) You only need rules for the incoming traffic. I think they should be HTTPS(ACCEPT) net $FW and HTTP(ACCEPT) net $FW ($FW refers to the firewall zone). (3) Return traffic from the web server to the client is automatically permitted because of "connection tracking" - it's an established TCP connection. You may have some other rule that is blocking that (but then, the web server would not be working from the client's viewpoint). (4) To see what's actually happening you can do an iptrace: First make sure that logging is enabled in iptables (might be different depending on your distro): sudo modprobe nf_log_ipv4 sudo sysctl net.netfilter.nf_log.2=nf_log_ipv4 Then to see exactly how the return traffic from your web server is being processed by iptables: shorewall iptrace -p tcp --sport 443 -d your-client's-ip-address And to stop it: shorewall noiptrace -p tcp --sport 443 -d your-client's-ip-address You will need to know a bit about iptables works, if you don't, there are various handy flowcharts you can find by googling. sudo modprobe nf_log_ipv4 sThenudo sysctl net.netfilter.nf_log.2=nf_log_ipv4 On Thu, Oct 26, 2023 at 5:19 AM Christophe PEREZ <ch...@novazur.fr> wrote: > Hi, > > On one machine, I have a web server running (apache) and responding on > ports 80 and 443. On this machine, I have a firewall (shorewall) which > blocks EVERYTHING except what I authorize, and I therefore have the rules > (I have many others, but which are off topic here, so I keep it simple ): > > ?SECTION NEW > Web(ACCEPT) net fw > Web(ACCEPT) fw net > > Everything works perfectly. EXCEPT that in the firewall logs, I realize > that I have lots of outgoing requests rejected with SOURCE ports 80 and > 443. And I don't understand why these requests are sent, nor why rejecting > them is not not at all blocking the operation of the web server. > > Oct 26 03:57:04 myserver kernel: [1567341.969608] fw-net REJECT IN= > OUT=eth0 SRC=myipserver DST=oneclientip LEN=40 TOS=0x00 PREC=0x00 TTL=64 > ID=0 DF PROTO=TCP SPT=443 DPT=37615 WINDOW=0 RES=0x00 RST URGP=0 > > Note that I have exactly the same question with the mail server and ports > 25,110,143,465,993,995. > > I'm trying to understand, not necessarily to correct something if it's not > useful. > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
