On 4/19/19 2:01 AM, Vieri Di Paola wrote: > On Thu, Apr 18, 2019 at 5:32 PM Tom Eastep <[email protected]> wrote: >> >>> kernel: Shorewall:polbl:add2polbl:IN=ppp3 OUT= MAC= SRC=31.13.83.2 >>> DST=MY_PUBLIC_IP_3 LEN=40 TOS=0x00 PREC=0x00 TTL=88 ID=48428 DF >>> PROTO=TCP SPT=443 DPT=44270 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x3 >>> kernel: Shorewall:polbl:add2polbl:IN=ppp3 OUT= MAC= SRC=40.67.251.132 >>> DST=MY_PUBLIC_IP_3 LEN=382 TOS=0x00 PREC=0x00 TTL=111 ID=22075 DF >>> PROTO=TCP SPT=443 DPT=49603 WINDOW=7431 RES=0x00 ACK PSH URGP=0 >>> MARK=0x3 >>> kernel: Shorewall:polbl:add2polbl:IN=ppp3 OUT= MAC= SRC=149.154.167.92 >>> DST=MY_PUBLIC_IP_3 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=29469 DF >>> PROTO=TCP SPT=443 DPT=51869 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x3 >>> >>> This is supposed to be "accepted" HTTPS traffic. >>> >> >> I deal with those as follows: >> >> ?SECTION INVALID >> >> RST(ACCEPT) { SOURCE=all, DEST=all } >> FIN(ACCEPT) { SOURCE=all, DEST=all } >> DROP { SOURCE=net, DEST=all } > > Will these packets enter the INVALID state? Will they enter it "fast > enough" so there's no significant lag?
TCP packets that don't have just the SYN flag set and that aren't
associated with an existing connection are classified as invalid.
> Any foreseeable side-effects? If not, could it be included by default
> in the shorewall config examples?
While there are none that I am aware of, the rules are not in wide
enough use to be considered for inclusion in the sample configs.
>
> Why add DROP in the last line? Isn't it implicit with whatever is in "policy"?
Yes, but my INVALID_DISPOSITION is CONTINUE (the default) and my
net->all policy is BLACKLIST, so if I don't drop the packets then they
will cause the remote system to be blacklisted. In other words, I'm
silently dropping these packets for the same reason that you are
accepting them.
>
> Also, in my specific example, could I use the following instead, or
> would it be nonsense?
>
> ?SECTION INVALID
>
> RST(ACCEPT) { SOURCE=net1, DEST=loc }
> RST(ACCEPT) { SOURCE=net2, DEST=loc }
> RST(ACCEPT) { SOURCE=net3, DEST=loc }
> FIN(ACCEPT) { SOURCE=net1, DEST=loc }
> FIN(ACCEPT) { SOURCE=net2, DEST=loc }
> FIN(ACCEPT) { SOURCE=net3, DEST=loc }
> DROP { SOURCE=net1, DEST=all }
> DROP { SOURCE=net2, DEST=all }
> DROP { SOURCE=net3, DEST=all }
>
That would work.
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
