On 06/21/2018 01:43 PM, Brian J. Murrell wrote: > On Thu, 2018-06-21 at 12:14 -0400, Brian J. Murrell wrote: >> Hi, >> >> Since upgrading from 5.1.12 to 5.2.0 on the machine that I build >> firewall rulesets for my shorewall-lite-running-router, I have seen a >> massive increase in RST and FIN packets being logged > > Having had a moment to look at the differences in the policy built by > the two versions, I believe the significant difference is the replacing > of the Drop and Reject chains, both of which had: > > -A Drop -m conntrack --ctstate INVALID -j DROP > > in them, with the inline rules: > > -A INPUT -p 1 --icmp-type 3/4 -j ACCEPT -m comment --comment "Needed ICMP > types" > -A INPUT -p 1 --icmp-type 11 -j ACCEPT -m comment --comment "Needed ICMP > types" > -A INPUT -m addrtype --dst-type BROADCAST -j DROP > -A INPUT -m addrtype --dst-type ANYCAST -j DROP > -A INPUT -m addrtype --dst-type MULTICAST -j DROP > > The latter does not have the "-m conntrack --ctstate INVALID" handling > which DROPped or REJECTed those packets without logging them. > > I guess this is part of the blurb in the MIGRATION ISSUES: > > It should also be noted that, in prior releases, Drop and Reject > silently dropped more traffic than thir replacements. As a > consequence, you will see more traffic being logged with Shorewall > 5.2 than you did on earlier releases. The translations performed > by 'update' can be extended after the update to drop additional > traffic as desired.
That is correct. > > So the solution for the missing > > -A Drop -m conntrack --ctstate INVALID -j DROP > > seems to be to add dropInvalid to the DROP_DEFAULT and REJECT_DEFAULT > policies as such: > > DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropInvalid" > REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropInvalid" Or do as I do (and as the sample configs do) and include this rule early in your rules file: # Don't allow connection pickup from the net # Invalid(DROP) net all tcp > > But I also am noticing other "noise suppression" policy such as: > > -A Drop -p 17 -m multiport --dports 135,445 -j DROP -m comment --comment "SMB" > -A Drop -p 17 --dport 137:139 -j DROP -m comment --comment "SMB" > -A Drop -p 17 --dport 1024:65535 --sport 137 -j DROP -m comment --comment > "SMB" > -A Drop -p 6 -m multiport --dports 135,139,445 -j DROP -m comment --comment > "SMB" > -A Drop -p 17 --dport 1900 -j DROP -m comment --comment "UPnP" > -A Drop -p 6 ! --syn -j DROP > -A Drop -p 17 --sport 53 -j DROP -m comment --comment "Late DNS Replies" > > But without actions for them. Are these no longer going to be > expressible as a policy action but instead need to be put into rules? The problem with Drop and Reject is that they would completely mask some DOS attacks. So our philosophy now is that the default should not silently drop packets that might be part of such attacks. You can certainly create your own action that does exactly what you want a policy action to do. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
