Hello, all: I have a rule allowing TCP traffic on port 22 for SSH, which works well and I have no problems accessing the server via SSH. However, some packets are getting dropped; here are a few of them: Jun 30 20:48:37 apollo kernel: Shorewall:badpkt:DROP:IN=eth0 OUT= MAC=08:00:20:7 b:e7:51:00:60:40:fd:29:5e:08:00 SRC=168.234.145.79 DST=200.30.141.30 LEN=76 TOS0x10 PREC=0x00 TTL=120 ID=23577 DF PROTO=TCP SPT=1862 DPT=22 WINDOW=16728 RES=0x 00 ACK PSH URGP=0 Jun 30 20:48:38 apollo kernel: Shorewall:badpkt:DROP:IN=eth0 OUT= MAC=08:00:20:7 b:e7:51:00:60:40:fd:29:5e:08:00 SRC=168.234.145.79 DST=200.30.141.30 LEN=76 TOS0x10 PREC=0x00 TTL=120 ID=23578 DF PROTO=TCP SPT=1862 DPT=22 WINDOW=16728 RES=0x 00 ACK PSH URGP=0 Jun 30 20:48:38 apollo kernel: Shorewall:badpkt:DROP:IN=eth0 OUT= MAC=08:00:20:7 b:e7:51:00:60:40:fd:29:5e:08:00 SRC=168.234.145.79 DST=200.30.141.30 LEN=76 TOS0x10 PREC=0x00 TTL=120 ID=23579 DF PROTO=TCP SPT=1862 DPT=22 WINDOW=16728 RES=0x 00 ACK PSH URGP=0 Jun 30 20:48:38 apollo kernel: Shorewall:badpkt:DROP:IN=eth0 OUT= MAC=08:00:20:7 b:e7:51:00:60:40:fd:29:5e:08:00 SRC=168.234.145.79 DST=200.30.141.30 LEN=76 TOS0x10 PREC=0x00 TTL=120 ID=23580 DF PROTO=TCP SPT=1862 DPT=22 WINDOW=16728 RES=0x 00 ACK PSH URGP=0 Jun 30 20:48:39 apollo kernel: Shorewall:badpkt:DROP:IN=eth0 OUT= MAC=08:00:20:7 b:e7:51:00:60:40:fd:29:5e:08:00 SRC=168.234.145.79 DST=200.30.141.30 LEN=76 TOS0x10 PREC=0x00 TTL=120 ID=23581 DF PROTO=TCP SPT=1862 DPT=22 WINDOW=16728 RES=0x 00 ACK PSH URGP=0 Am I correct in assuming that "badpkt" means that the packet was dropped because of some problem in the packet itself? Is it OK not to worry about these? -- Rodolfo J. Paiz rpaiz@simpaticus.com
On Tue, 2003-07-01 at 09:43, Rodolfo J. Paiz wrote:> > Am I correct in assuming that "badpkt" means that the packet was dropped > because of some problem in the packet itself? Is it OK not to worry about > these?It means that you have set the ''dropunclean'' option on an interface on a production firewall. I strongly advise against doing that! -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 2003-07-01 at 10:02, Rodolfo J. Paiz wrote:> > This is not a firewall but a standalone server. However, it _is_ a > production machine. Why is "dropunclean" a bad thing? (Not arguing against, > just learning.)In my opinion, the implementation of the ''unclean'' match in netfilter is broken. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 2003-07-01 at 10:09, Rodolfo J. Paiz wrote:> > As a followup to my other message, is "tcpflags" also discouraged? I am > also using that on the external interface, under the assumption that this > may help stop some types of attacks.Yes -- I recommend using that option. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net