On 07/11/2017 02:23 AM, Vieri Di Paola via Shorewall-users wrote: > ________________________________ > From: Tom Eastep <[email protected]> >> >> This happens when Netfilter believes that flow is closed and deletes the >> conntrack entry, while one of the end-points still thinks that the flow >> is alive and sends an RST. In my own ruleset, I handle this with: >> >> RST(ACCEPT) { SOURCE=all, DEST=all } >> >> I have also seen similar problems with SYN,PSH,ACK packets, and added a >> FIN action in 5.1.5. I use it similarly: >> >> FIN(ACCEPT) { SOURCE=ALL, DEST=all } > > > I added these lines to the rules file: > > RST(ACCEPT) { SOURCE=all, DEST=all } > FIN(ACCEPT) { SOURCE=all, DEST=all } > > and restarted shorewall. > > I'm still getting these in the logs: > > Jul 11 11:07:57 inf-gw1 kernel: Shorewall:dropNotSyn:DROP:IN=enp9s5 OUT= > MAC=00:0d:88:cd:7f:c5:00:13:f7:23:ef:b4:08:00 SRC=216.58.214.163 > DST=192.168.100.2 LEN=1140 TOS=0x00 PREC=0x00 TTL=55 ID=32907 PROTO=TCP > SPT=443 DPT=43579 WINDOW=351 RES=0x00 ACK PSH URGP=0 MARK=0x2 > Jul 11 11:07:57 inf-gw1 kernel: Shorewall:dropNotSyn:DROP:IN=enp9s6 OUT= > MAC=00:0d:88:cd:7f:c6:50:67:f0:af:f4:57:08:00 SRC=158.85.58.43 > DST=192.168.101.2 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=30820 DF PROTO=TCP > SPT=80 DPT=16779 WINDOW=514 RES=0x00 ACK RST URGP=0 MARK=0x3 > Jul 11 11:07:57 inf-gw1 kernel: Shorewall:dropNotSyn:DROP:IN=enp9s5 OUT= > MAC=00:0d:88:cd:7f:c5:00:13:f7:23:ef:b4:08:00 SRC=216.58.214.163 > DST=192.168.100.2 LEN=856 TOS=0x00 PREC=0x00 TTL=55 ID=31520 PROTO=TCP > SPT=443 DPT=35305 WINDOW=351 RES=0x00 ACK PSH URGP=0 MARK=0x2 > > # shorewall version > 5.1.5 > > > > # grep -v ^# /usr/share/shorewall/action.RST | grep -v ^$ > DEFAULTS DROP,- > @1 - - ;;+ -p 6 --tcp-flags RST RST > > # grep -v ^# /usr/share/shorewall/action.FIN | grep -v ^$ > DEFAULTS ACCEPT,- > @1 - - ;;+ -p 6 --tcp-flags ACK,FIN,PSH ACK,FIN,PSH > > Functionally speaking, no user has yet reported issues accessing http or > https sites. > > I could ignore these messages although I wasn't getting them in previous > systems. >
In shorewall.conf, remove the ":$LOG" after 'dropNotSyn' in the BLACKLIST_DEFAULT setting. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
