On Wed, 4 May 2022 11:22:39 +0200
Vieri Di Paola <[email protected]> wrote:
> Hi,
>
> I use these rules in the INVALID and NEW sections of the rules file:
>
> FIN(ACCEPT) { SOURCE=all, DEST=all }
> RST(ACCEPT) { SOURCE=all, DEST=all }
How about explaining which problem you try to solve?
> according to a previous mailing list post:
>
> https://sourceforge.net/p/shorewall/mailman/shorewall-users/thread/CABLYT9j-KvM0JEwxoZ3xppoL5yxZqQe6qyEj0_wJJ8eecyE3nA%40mail.gmail.com/#msg37123538
>
> However, I'm still seeing ACK drops as noted in this other post:
>
> https://sourceforge.net/p/shorewall/mailman/message/37178313/
>
> eg.:
> May 4 08:04:22 fw1 kernel: FWGW:wan-lan1:DROP:IN=wan OUT=lan.1
> MAC=ac:1f:6b:9b:85:06:30:85:a9:8e:b9:a0:08:00 SRC=23.200.66.154
> DST=10.215.248.214 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=38801 DF
> PROTO=TCP SPT=443 DPT=64710 WINDOW=123 RES=0x00 ACK URGP=0
This is not FIN or RST. And you don't want to allow this type of
packets, those are so called late replies - eg replies for connections
which have been long gone.
> The shorewall rules man page does not explain how to use the curly
> brackets. What is the format of the content within these characters?
> I'm wondering if "SOURCE=all, DEST=all" is syntactically correct.
It is correct. https://shorewall.org/configuration_file_basics.htm#Pairs
> If so, why am I seeing these dropped ACK replies when I have no rules
> blocking them (eg. lan1-wan HTTPS traffic from 10.215.248.214 to
> 23.200.66.154 is allowed, so I'm expecting the ACK not to be dropped)?
That is clearly invalid packet. Older shorwall versions dropped those
without any notifications, current default of DROP_DEFAULT doesn't log
those without logging, if you don't want to see those packets, add
dropInvalid to DROP_DEFAULT. It is that easy.
--
Tuomo Soini <[email protected]>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
