On 4/19/19 2:01 AM, Vieri Di Paola wrote:
> On Thu, Apr 18, 2019 at 5:32 PM Tom Eastep <teas...@shorewall.net> wrote:
>>
>>> kernel: Shorewall:polbl:add2polbl:IN=ppp3 OUT= MAC= SRC=31.13.83.2
>>> DST=MY_PUBLIC_IP_3 LEN=40 TOS=0x00 PREC=0x00 TTL=88 ID=48428 DF
>>> PROTO=TCP SPT=443 DPT=44270 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x3
>>> kernel: Shorewall:polbl:add2polbl:IN=ppp3 OUT= MAC= SRC=40.67.251.132
>>> DST=MY_PUBLIC_IP_3 LEN=382 TOS=0x00 PREC=0x00 TTL=111 ID=22075 DF
>>> PROTO=TCP SPT=443 DPT=49603 WINDOW=7431 RES=0x00 ACK PSH URGP=0
>>> MARK=0x3
>>> kernel: Shorewall:polbl:add2polbl:IN=ppp3 OUT= MAC= SRC=149.154.167.92
>>> DST=MY_PUBLIC_IP_3 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=29469 DF
>>> PROTO=TCP SPT=443 DPT=51869 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x3
>>>
>>> This is supposed to be "accepted" HTTPS traffic.
>>>
>>
>> I deal with those as follows:
>>
>> ?SECTION INVALID
>>
>> RST(ACCEPT) { SOURCE=all, DEST=all }
>> FIN(ACCEPT) { SOURCE=all, DEST=all }
>> DROP { SOURCE=net, DEST=all }
>
> Will these packets enter the INVALID state? Will they enter it "fast
> enough" so there's no significant lag?
TCP packets that don't have just the SYN flag set and that aren't
associated with an existing connection are classified as invalid.
> Any foreseeable side-effects? If not, could it be included by default
> in the shorewall config examples?
While there are none that I am aware of, the rules are not in wide
enough use to be considered for inclusion in the sample configs.
>
> Why add DROP in the last line? Isn't it implicit with whatever is in "policy"?
Yes, but my INVALID_DISPOSITION is CONTINUE (the default) and my
net->all policy is BLACKLIST, so if I don't drop the packets then they
will cause the remote system to be blacklisted. In other words, I'm
silently dropping these packets for the same reason that you are
accepting them.
>
> Also, in my specific example, could I use the following instead, or
> would it be nonsense?
>
> ?SECTION INVALID
>
> RST(ACCEPT) { SOURCE=net1, DEST=loc }
> RST(ACCEPT) { SOURCE=net2, DEST=loc }
> RST(ACCEPT) { SOURCE=net3, DEST=loc }
> FIN(ACCEPT) { SOURCE=net1, DEST=loc }
> FIN(ACCEPT) { SOURCE=net2, DEST=loc }
> FIN(ACCEPT) { SOURCE=net3, DEST=loc }
> DROP { SOURCE=net1, DEST=all }
> DROP { SOURCE=net2, DEST=all }
> DROP { SOURCE=net3, DEST=all }
>
That would work.
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
