On 02/06/2018 10:34 AM, John Thomas wrote: > > Feb 5 16:42:38 home kernel: net-fw DROP IN=eth0 OUT= > > MAC=(redacted) SRC=208.85.46.26 DST=(redacted) LEN=1280 TOS=0x00 > > PREC=0x00 TTL=55 ID=13505 DF PROTO=TCP SPT=80 DPT=41374 > > WINDOW=201 RES=0x00 ACK URGP=0> > > > > I'm getting these ACK DROP message in the logs from Google on IPv6, > > Pandora (daughter), one DNS provider that I cannot remember. Could > > I trouble you to help me understand what is going on? > > The deprecated Drop action invokes 'NotSyn(DROP,@1)'; with that DROP > policy action under Shorewall 5.0, these packets were silently dropped. > Using the 5.1 default DROP policy actions > (Broadcast(DROP),Multicast(DROP)), these packets are not silently > dropped, which is why you are seeing them. > > Thank you Tom! > > Could I trouble you to let me know how to configure 5.1 so I can get > those packets silently dropped like in 5.1? > > I have these default 5.1 settings. > BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" > DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" >
Add ",NotSyn(DROP)" to DROP_DEFAULT -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
