-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 11/30/2016 03:41 AM, Vieri Di Paola wrote:
>
>
> ----- Original Message ----- From: Tom Eastep
> <teas...@shorewall.net>
>> Configure ipset-based dynamic blacklisting:
>> DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info then put this at
>> the bottom of your rules:
>
>> ADD(SW_DBL4,src) net $FW
>
>
> I seem to have a few issues with the ipset-based solution.
>
> The first is really not that important:
>
> # grep IPSET /etc/shorewall/shorewall.conf IPSET=
> IPSET_WARNINGS=Yes SAVE_IPSETS=No
>
> After a shorewall restart I can list the ipset and it has hundreds
> of entries:
>
> # ipset list SW_DBL4
>
> Shouldn't it have been cleared out?
No.
> I actually prefer to set SAVE_IPSETS=Yes and then manually flush
> the ipset whenever I want to. I'm just wondering if this config
> variable applies to SW_* ipsets.
Yes, it does.
>
> The second issue is described below.
>
> The policy file contains: net3 $FW DROP
> info net3 loc DROP info net2
> $FW DROP info net2 loc
> DROP info net1 $FW DROP
> info net3 loc DROP info
>
> shorewall.conf has:
> DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info
>
> rules file contains among many other entries: [...] DNAT net1
> loc:10.215.144.91 tcp 25 - - 3/sec:10 DNAT
> net2 loc:10.215.144.91 tcp 25 - - 3/sec:10
> ACCEPT net3 $FW tcp 25 - -
> 3/sec:10 [...]
> ACCEPT net2 $FW tcp <some_other_port> [...]
> ADD(SW_DBL4:src)
> net1 $FW ADD(SW_DBL4:src) net2 $FW ADD(SW_DBL4:src)
> net3 $FW
>
> In the shorewall log I can see DROP messages concerning port 25
> such as:
>
> Shorewall:dbl_log:DROP:IN=enp0s12 OUT= SRC=IP1 DST=192.168.100.2
> LEN=40 TOS=0x00 PREC=0x00 TTL=121 ID=28878 DF PROTO=TCP SPT=7309
> DPT=25 WINDOW=0 RES=0 x00 RST URGP=0 MARK=0x2
>
> # ipset list SW_DBL4 | grep IP1 IP1 timeout 3541 packets 1 bytes
> 48
>
> Since 192.168.100.2 is net2's NIC address on $FW, I'm guessing IP1
> was blacklisted because there's no explicit rule for traffic from
> net2 to $FW on port 25 so it reaches ADD(SW_DBL4:src) net2 $FW.
> However, I'm not really sure about this. If the host at IP1 tried
> to connect for the first time to the net2 external interface, it
> should have succeeded and established an SMTP link to an internal
> server (DNAT). As I see it, it never should have reached the ADD
> action at the bottom of my rules file.
If IP1 tried to connect to ANY port that wasn't allowed by the
ruleset, then it gets blacklisted and subsequent attempts to connect
to port 25 will be rejected, even if those attempts are allowed by the
ruleset.
>
> My third issue is that I see these entries in the log:
>
> Nov 30 09:12:27 Shorewall:loc-net3:ACCEPT:IN=enp0s9 OUT=enp0s13
> SRC=10.215.144.31 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=126
> ID=29724 PROTO=UDP SPT=54141 DPT=53 LEN=40 Nov 30 09:12:28
> Shorewall:dbl_log:DROP:IN=enp0s13 OUT= SRC=8.8.8.8
> DST=192.168.101.2 LEN=76 TOS=0x00 PREC=0x00 TTL=56 ID=53866
> PROTO=UDP SPT=53 DPT=20938 LEN=56 MARK=0x3
>
> where enp0s13 is net3's interface and 192.168.101.2 its IP
> address. So now Google DNS (8.8.8.8) is in the SW_DBL4 ipset.
>
> I don't care if Google can connect or not but then I also see
> messages like these:
>
> Nov 30 09:31:10 Shorewall:dbl_log:DROP:IN=enp0s13 OUT=
> SRC=xxx.xxx.xxx.xx1 DST=192.168.101.2 LEN=60 TOS=0x00 PREC=0x00
> TTL=60 ID=0 DF PROTO=TCP SPT=80 DPT=14686 WINDOW=28960 RES=0x00 ACK
> SYN URGP=0 MARK=0x3 Nov 30 09:49:33
> Shorewall:dbl_log:DROP:IN=enp0s13 OUT= SRC=xxx.xxx.xxx.xx2
> DST=192.168.101.2 LEN=75 TOS=0x00 PREC=0x00 TTL=50 ID=27302 DF
> PROTO=TCP SPT=443 DPT=53313 WINDOW=514 RES=0x00 ACK PSH FIN URGP=0
> MARK=0x3 Nov 30 09:49:33 Shorewall:dbl_log:DROP:IN=enp0s13 OUT=
> SRC=xxx.xxx.xxx.xx3 DST=192.168.101.2 LEN=40 TOS=0x00 PREC=0x00
> TTL=89 ID=61483 DF PROTO=TCP SPT=443 DPT=28519 WINDOW=0 RES=0x00
> RST URGP=0 MARK=0x3
>
> They're usually ACK FIN, ACK SYN, ACK PSH or RST so I guess each
> time a client in my loc zone surfs the web, the web servers' IP
> addresses are bound to get blacklisted.
>
> Another example when a client in the loc zone accesses a web server
> (note that there are several internet providers with load
> balancing):
>
> Nov 30 09:58:03 Shorewall:loc-net1:ACCEPT:IN=enp0s9 OUT=enp0s11
> SRC=10.215.248.190 DST=xxx.xxx.xxx.xx4 LEN=48 TOS=0x00 PREC=0x00
> TTL=126 ID=2734 DF PROTO=TCP SPT=64178 DPT=80 WINDOW=8192 RES=0x00
> SYN URGP=0 Nov 30 09:58:04 Shorewall:loc-net1:ACCEPT:IN=enp0s9
> OUT=enp0s11 SRC=10.215.248.190 DST=xxx.xxx.xxx.xx4 LEN=48 TOS=0x00
> PREC=0x00 TTL=126 ID=3027 DF PROTO=TCP SPT=64180 DPT=80 WINDOW=8192
> RES=0x00 SYN URGP=0 Nov 30 09:58:05
> Shorewall:loc-net2:ACCEPT:IN=enp0s9 OUT=enp0s12 SRC=10.215.248.190
> DST=xxx.xxx.xxx.xx4 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=3087 DF
> PROTO=TCP SPT=64183 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
>
> Nov 30 09:58:05 Shorewall:dbl_log:DROP:IN=enp0s12 OUT=
> SRC=xxx.xxx.xxx.xx4 DST=192.168.100.2 LEN=40 TOS=0x00 PREC=0x00
> TTL=50 ID=0 DF PROTO=TCP SPT=80 DPT=64183 WINDOW=0 RES=0x00 RST
> URGP=0 MARK=0x2 (192.168.100.2 is on net2)
>
> So I'm wondering if I can avoid false positives in the dynamic
> blacklist.
>
First, remove the ADD rules from /etc/shorewall/rules.
You can then copy action.Drop to /etc/shorewall/ and then add this to
the copy as the last line:
ADD(SW_DBL4:src)
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJYPvzmAAoJEJbms/JCOk0QyWwP/15ajF21acbNbMqVyd+WpHDu
r6xuU6DZaqyYIg0yYKM7OHwqFnHQ37NCKcBGfFjiofV1Y59DVZ7baGOtbA5MOjfF
gG35Hwmr6utXR+W3raxb9wYPYos3cFUqlNRlAkgVQghFogMlza3Eck2GTRbAQF0F
hwfRMG52WFO703Bc33X1tJLAUHnaTzbsYv76zB+6iZL1WTPKtCPi2gA+QaqoGKM6
rWf4gKE7EIs4JJjunjS1VE3g0Wg5Wn/OGk2EGA5/DKPJZcITlllRlXyHKyrmY3WX
77nUtqzRobcWD6CHaP3edwZZuAxfzvpy47tNrSTQJdUFbYK3HlcINz6GoLaDKFDL
8WbK/jj+FlPxGnxYQyeTIZGMo8mmwFtJtbVPYR6gVg/MHD1YguYC34UzW3mXY0JL
vSk71y2vE+H8c4sONIf05V5dlzdzU9aAprKkKsTpd3EF0uSVmIvnkJb6H0AFTaaN
gwglS7DewNYTExu6svqYInekQCDEe/+DeZLAprQwnJxIkT5ZmFb5k7dA/rGyIWDv
obHxfyllc6KyjouUdYZpyEXO0BzFuCODDbH1M5UAFYBD1t6HvpvXCHlb0Z23qMD0
CWmg9gYF3guLXWl8p3J9ErpqFn6GFhypvVT3RHnVbteImlIlm2rb109uxrSnqeyz
61uJZhZZLqnMqyMycvLw
=A2eb
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
