Re: [Shorewall-users] ACK replies are dropped

Wed, 04 May 2022 03:03:55 -0700 

On Wed, 4 May 2022 11:22:39 +0200
Vieri Di Paola <vieridipa...@gmail.com> wrote:

> Hi,
> 
> I use these rules in the INVALID and NEW sections of the rules file:
> 
> FIN(ACCEPT)     { SOURCE=all, DEST=all }
> RST(ACCEPT)     { SOURCE=all, DEST=all }

How about explaining which problem you try to solve?

> according to a previous mailing list post:
> 
> https://sourceforge.net/p/shorewall/mailman/shorewall-users/thread/CABLYT9j-KvM0JEwxoZ3xppoL5yxZqQe6qyEj0_wJJ8eecyE3nA%40mail.gmail.com/#msg37123538
> 
> However, I'm still seeing ACK drops as noted in this other post:
> 
> https://sourceforge.net/p/shorewall/mailman/message/37178313/
> 
> eg.:
> May  4 08:04:22 fw1 kernel: FWGW:wan-lan1:DROP:IN=wan OUT=lan.1
> MAC=ac:1f:6b:9b:85:06:30:85:a9:8e:b9:a0:08:00 SRC=23.200.66.154
> DST=10.215.248.214 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=38801 DF
> PROTO=TCP SPT=443 DPT=64710 WINDOW=123 RES=0x00 ACK URGP=0

This is not FIN or RST. And you don't want to allow this type of
packets, those are so called late replies - eg replies for connections
which have been long gone.

> The shorewall rules man page does not explain how to use the curly
> brackets. What is the format of the content within these characters?
> I'm wondering if "SOURCE=all, DEST=all" is syntactically correct.

It is correct. https://shorewall.org/configuration_file_basics.htm#Pairs

> If so, why am I seeing these dropped ACK replies when I have no rules
> blocking them (eg. lan1-wan HTTPS traffic from 10.215.248.214 to
> 23.200.66.154 is allowed, so I'm expecting the ACK not to be dropped)?

That is clearly invalid packet. Older shorwall versions dropped those
without any notifications, current default of DROP_DEFAULT doesn't log
those without logging, if you don't want to see those packets, add
dropInvalid to DROP_DEFAULT. It is that easy.

-- 
Tuomo Soini <t...@foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to