Hi, I''m running shorewall-2.0.8-1mdk with iptables-1.2.9-7.1.101mdk on kernel-2.4.22-30mdk, Mandrake 10.1 (kernel-2.6.8.1.10mdk-1-1mdk is installed, but I haven''t rebooted yet). I get a significant number of newnotsyn packet denials from existing, valid connections. Most of these seem to be on port 80 and port 25, and directionality doesn''t seem to matter (I run public web and mail services on the firewall). Web and mail seem to work fine despite the drops, so it''s not enough to actually stop TCP... I''m not sure if this is because of retransmits or if the packets were never actually dropped, just logged as such. The behavior is intermittent enough that it''s difficult to catch with tethereal. [jack@felix jack]$ sudo grep -rin newnotsyn /etc/shorewall/ | grep -v \# /etc/shorewall/interfaces:128:inside eth1 detect newnotsyn /etc/shorewall/interfaces:129:inside eth2 detect newnotsyn /etc/shorewall/interfaces:130:inside eth3 detect newnotsyn /etc/shorewall/shorewall.conf:147:LOGNEWNOTSYN=debug /etc/shorewall/shorewall.conf:435:NEWNOTSYN=No These three interfaces are the "inside" zone, eth0 is the Internet. I haven''t found anything relevant by searching the shorewall.net documentation, but I could certainly take a STFW pointer. thanks, -- Jack at Monkeynoodle dot Org: It''s a Scientific Venture... Riding the Emergency Third Rail Power Trip since 1996!
On Wed, 2004-12-29 at 15:28 -0800, Jack Coates wrote:> > I get a significant number of newnotsyn packet denials from existing, > valid connections. Most of these seem to be on port 80 and port 25, and > directionality doesn''t seem to matter (I run public web and mail > services on the firewall).If you don''t like the messages then don''t use NEWNOTSYN=No. In a perfect network, NEWNOTSYN=No is a reasonable idea; alas, the Internet is far from perfect. I offer NEWNOTSYN=No because people read books about firewalling and think that they have to have it; once they see it in action, they usually change their mind. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wed, 2004-12-29 at 15:34 -0800, Tom Eastep wrote:> On Wed, 2004-12-29 at 15:28 -0800, Jack Coates wrote: > > > > > I get a significant number of newnotsyn packet denials from existing, > > valid connections. Most of these seem to be on port 80 and port 25, and > > directionality doesn''t seem to matter (I run public web and mail > > services on the firewall). > > If you don''t like the messages then don''t use NEWNOTSYN=No. In a perfect > network, NEWNOTSYN=No is a reasonable idea; alas, the Internet is far > from perfect. I offer NEWNOTSYN=No because people read books about > firewalling and think that they have to have it; once they see it in > action, they usually change their mind. >Note that the default value of NEWNOTSYN was changed to "Yes" in 2.0.9. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> On Wed, 2004-12-29 at 15:28 -0800, Jack Coates wrote: > > >>I get a significant number of newnotsyn packet denials from existing, >>valid connections. Most of these seem to be on port 80 and port 25, and >>directionality doesn''t seem to matter (I run public web and mail >>services on the firewall). > > > If you don''t like the messages then don''t use NEWNOTSYN=No. In a perfect > network, NEWNOTSYN=No is a reasonable idea; alas, the Internet is far > from perfect. I offer NEWNOTSYN=No because people read books about > firewalling and think that they have to have it; once they see it in > action, they usually change their mind. > > -Tomsensible enough. Back when I was much deeper into firewalls it could be done reasonably well on Check Point, but even then they''d break it with every patch as often as not. thanks, -- Jack at Monkeynoodle dot Org: It''s a Scientific Venture... Riding the Emergency Third Rail Power Trip since 1996!
On Wed, 2004-12-29 at 15:39 -0800, Jack Coates wrote:> > If you don''t like the messages then don''t use NEWNOTSYN=No. In a perfect > > network, NEWNOTSYN=No is a reasonable idea; alas, the Internet is far > > from perfect. I offer NEWNOTSYN=No because people read books about > > firewalling and think that they have to have it; once they see it in > > action, they usually change their mind. > > > > -Tom > > sensible enough. Back when I was much deeper into firewalls it could be > done reasonably well on Check Point, but even then they''d break it with > every patch as often as not.I played with this for quite a while -- I could get pretty reasonable behavior but at a cost if taking most of the teeth out of NEWNOTSYN=Yes. I concluded that most of the benefits of NEWNOTSYN=Yes could be achieved with much less impact using the ''tcpflags'' interface option. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> On Wed, 2004-12-29 at 15:39 -0800, Jack Coates wrote: > > >>>If you don''t like the messages then don''t use NEWNOTSYN=No. In a perfect >>>network, NEWNOTSYN=No is a reasonable idea; alas, the Internet is far >>>from perfect. I offer NEWNOTSYN=No because people read books about >>>firewalling and think that they have to have it; once they see it in >>>action, they usually change their mind. >>> >>>-Tom >> >>sensible enough. Back when I was much deeper into firewalls it could be >>done reasonably well on Check Point, but even then they''d break it with >>every patch as often as not. > > > I played with this for quite a while -- I could get pretty reasonable > behavior but at a cost if taking most of the teeth out of NEWNOTSYN=Yes. > I concluded that most of the benefits of NEWNOTSYN=Yes could be achieved > with much less impact using the ''tcpflags'' interface option.i don''t think so. the truth is that you have to play a lot with it to work as desired. we got a bit complicated network the firewal has 5 ethernet interface, about a hundred of openvpn clients, internal routers in the lan and more external zones. but after you able to use NEWNOTSYN=No, you probably has a much better understanding of your own network, may be after a bit redesing using different subnets and default routes around you router, but in a simple case NEWNOTSYN=No usualy not a problem in a more complex case you probably don''t understand all packet path in advance (it''s turn out that something is not working), but after everything is working it''s a good tool. may be there are same rare extrame network setup when it''s not usable, but imho most case it''s a good think. but that''s just my 2c:-) -- Levente "Si vis pacem para bellum!"