On Wed, 4 May 2022 11:22:39 +0200 Vieri Di Paola <vieridipa...@gmail.com> wrote:
> Hi, > > I use these rules in the INVALID and NEW sections of the rules file: > > FIN(ACCEPT) { SOURCE=all, DEST=all } > RST(ACCEPT) { SOURCE=all, DEST=all } How about explaining which problem you try to solve? > according to a previous mailing list post: > > https://sourceforge.net/p/shorewall/mailman/shorewall-users/thread/CABLYT9j-KvM0JEwxoZ3xppoL5yxZqQe6qyEj0_wJJ8eecyE3nA%40mail.gmail.com/#msg37123538 > > However, I'm still seeing ACK drops as noted in this other post: > > https://sourceforge.net/p/shorewall/mailman/message/37178313/ > > eg.: > May 4 08:04:22 fw1 kernel: FWGW:wan-lan1:DROP:IN=wan OUT=lan.1 > MAC=ac:1f:6b:9b:85:06:30:85:a9:8e:b9:a0:08:00 SRC=23.200.66.154 > DST=10.215.248.214 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=38801 DF > PROTO=TCP SPT=443 DPT=64710 WINDOW=123 RES=0x00 ACK URGP=0 This is not FIN or RST. And you don't want to allow this type of packets, those are so called late replies - eg replies for connections which have been long gone. > The shorewall rules man page does not explain how to use the curly > brackets. What is the format of the content within these characters? > I'm wondering if "SOURCE=all, DEST=all" is syntactically correct. It is correct. https://shorewall.org/configuration_file_basics.htm#Pairs > If so, why am I seeing these dropped ACK replies when I have no rules > blocking them (eg. lan1-wan HTTPS traffic from 10.215.248.214 to > 23.200.66.154 is allowed, so I'm expecting the ACK not to be dropped)? That is clearly invalid packet. Older shorwall versions dropped those without any notifications, current default of DROP_DEFAULT doesn't log those without logging, if you don't want to see those packets, add dropInvalid to DROP_DEFAULT. It is that easy. -- Tuomo Soini <t...@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users