On 10/7/20 4:14 AM, Vieri Di Paola wrote: > Hi, > > If my rules allow HTTP and HTTPS access (ports 80, 443) with an ACCEPT > rule such as the following > > ACCEPT lan1:10.215.144.0/23 wan tcp,udp 80,443 > > I'd like to know why I am seeing the following in the shorewall log > when a user accesses a web page: > > kernel: Shorewall:wan-lan1:DROP:IN=wan OUT=lan.1 > MAC=ac:1f:6b:9b:85:06:30:85:a9:8e:b6:ab:08:00 SRC=<EXTERNAL_IP_ADDR> > DST=10.215.144.48 LEN=103 TOS=0x00 PREC=0x00 TTL=63 ID=63665 DF > PROTO=TCP SPT=443 DPT=58011 WINDOW=140 RES=0x00 ACK PSH FIN URGP=0 > > Why is this packet dropped?
This occurs when the conntrack entry for a connection has been deleted,
but the server still thinks that the connection is being shut down. It
is not a valid packet to start a new connection, so your rule in the NEW
section of the rules file doesn't apply.
> I'm expecting it to be an HTTPS reply which should be allowed by the
> above rule.
> What can I do to debug this?
I work around this with the following rule in both the INVALID and NEW
sections of my rules file.
FIN(ACCEPT) { SOURCE=all, DEST=all }
I also have this in the same two locations:
RST(ACCEPT) { SOURCE=all, DEST=all }
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
