On 02/06/2018 06:25 AM, John Thomas wrote: > Logs in 5.1, but not when on 5.0 > > > Feb 5 16:38:53 home kernel: net-fw DROP IN=eth0 OUT= > MAC=(redacted) SRC=208.85.46.26 DST= 208.85.46.26 LEN=1280 > TOS=0x00 PREC=0x00 TTL=55 ID=13502 DF PROTO=TCP SPT=80 DPT=41374 > WINDOW=201 RES=0x00 ACK URGP=0 > Feb 5 16:39:28 home kernel: net-fw DROP IN=eth0 OUT= MAC= > (redacted) SRC=208.85.46.26 DST=(redacted) LEN=1280 TOS=0x00 > PREC=0x00 TTL=55 ID=13503 DF PROTO=TCP SPT=80 DPT=41374 > WINDOW=201 RES=0x00 ACK URGP=0 > Feb 5 16:40:37 home kernel: net-fw DROP IN=eth0 OUT= > MAC=(redacted) SRC=208.85.46.26 DST=(redacted) LEN=1280 TOS=0x00 > PREC=0x00 TTL=55 ID=13504 DF PROTO=TCP SPT=80 DPT=41374 > WINDOW=201 RES=0x00 ACK URGP=0 > Feb 5 16:42:38 home kernel: net-fw DROP IN=eth0 OUT= > MAC=(redacted) SRC=208.85.46.26 DST=(redacted) LEN=1280 TOS=0x00 > PREC=0x00 TTL=55 ID=13505 DF PROTO=TCP SPT=80 DPT=41374 > WINDOW=201 RES=0x00 ACK URGP=0> > > I'm getting these ACK DROP message in the logs from Google on IPv6, > Pandora (daughter), one DNS provider that I cannot remember. Could > I trouble you to help me understand what is going on?
The deprecated Drop action invokes 'NotSyn(DROP,@1)'; with that DROP policy action under Shorewall 5.0, these packets were silently dropped. Using the 5.1 default DROP policy actions (Broadcast(DROP),Multicast(DROP)), these packets are not silently dropped, which is why you are seeing them. > > Another odd log I did not get on 5.0. This is without the ACK in it and > is UDP from port 443. > Feb 6 00:01:30 home kernel: net-fw DROP IN=eth0 OUT= MAC=(redacted) > SRC=172.217.5.74 DST=(redacted) LEN=77 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF > PROTO=UDP SPT=443 DPT=44373 LEN=57 > Feb 6 00:01:31 home kernel: net-fw DROP IN=eth0 OUT= MAC=(redacted) > SRC=172.217.5.74 DST=(redacted) LEN=77 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF > PROTO=UDP SPT=443 DPT=44373 LEN=57 > These are QUIC response packets that don't match any current UDP flow. These would have been logged by the 5.0 ruleset as well. In the dump you sent, I see a UDP packet logged with source port 53. Those packets *were* silently dropped in 5.0 but appear in 5.1 when using the default DROP policy actions. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
