Hello, I am using Shorewall version 2.0.1 with kernel 2.4.20. Nightly, LogWatch emails a portion of the logs for my review. I notice that there are tons of dropped packets from port 445, somedays as many as 7,000. See sample below:>From 24.226.192.22 - 2 packetsTo 24.227.147.124 - 2 packets Service: microsoft-ds (tcp/445) (Shorewall:net2all:DROP:,eth0,none) - 2 packets My question is, what can I do to have these silently dropped and not log any drops from 445. I have reviewed anything that I could find on the website and the mailing list archive, but couldn''t find anything about it. Maybe my search terms were bad, if so apologies in advance. Can anyone point me in the right direction? Thank you, Bryan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bryan Scott wrote: | Hello, | | | I am using Shorewall version 2.0.1 with kernel 2.4.20. Nightly, | LogWatch emails a portion of the logs for my review. I notice that | there are tons of dropped packets from port 445, somedays as many as | 7,000. See sample below: | |>From 24.226.192.22 - 2 packets | To 24.227.147.124 - 2 packets | Service: microsoft-ds (tcp/445) (Shorewall:net2all:DROP:,eth0,none) - 2 packets | | My question is, what can I do to have these silently dropped and not | log any drops from 445. I have reviewed anything that I could find on | the website and the mailing list archive, but couldn''t find anything | about it. Maybe my search terms were bad, if so apologies in advance. | Can anyone point me in the right direction? There is something very basic that is wrong with your configuration -- logging of traffic to TCP port 445 is suppressed by the default Shorewall ''Reject'' and ''Drop'' common actions. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBRv5EO/MAbZfjDLIRAly1AKDACmiZOWqOQMWLfitN4OrPbnjokACgrQ35 fIOXjaYDp8dGDRfyzwZVl3M=MsFv -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | Bryan Scott wrote: | | Hello, | | | | | | I am using Shorewall version 2.0.1 with kernel 2.4.20. Nightly, | | LogWatch emails a portion of the logs for my review. I notice that | | there are tons of dropped packets from port 445, somedays as many as | | 7,000. See sample below: | | | |>From 24.226.192.22 - 2 packets | | To 24.227.147.124 - 2 packets | | Service: microsoft-ds (tcp/445) (Shorewall:net2all:DROP:,eth0,none) - | 2 packets | | | | My question is, what can I do to have these silently dropped and not | | log any drops from 445. I have reviewed anything that I could find on | | the website and the mailing list archive, but couldn''t find anything | | about it. Maybe my search terms were bad, if so apologies in advance. | | Can anyone point me in the right direction? | | There is something very basic that is wrong with your configuration -- | logging of traffic to TCP port 445 is suppressed by the default | Shorewall ''Reject'' and ''Drop'' common actions. | What output does "shorewall show net2all" produce? - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBRv89O/MAbZfjDLIRAiYKAJ99hdQ689Fwuk85o7DYxf6jI2CPbgCaAsnJ OM9h5QRvfWdwtIFiJR7Xh2g=5rxB -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bryan Scott wrote: | On Tue, 14 Sep 2004 07:25:01 -0700, Tom Eastep <teastep@shorewall.net> wrote: | | | | There is something very basic that is wrong with your configuration -- | | logging of traffic to TCP port 445 is suppressed by the default | | Shorewall ''Reject'' and ''Drop'' common actions. | | | | What output does "shorewall show net2all" produce? | | |> Shorewall-2.0.1 Chain net2all at bigdog.reydr.com - Tue Sep 14 09:42:23 CDT 2004 | |> Counters reset Tue Sep 14 09:40:18 CDT 2004 | |> Chain net2all (2 references) |> pkts bytes target prot opt in out source destination |> 0 0 ACCEPT all -- * * 0.0.0.0/0 |> 0.0.0.0/0 state RELATED,ESTABLISHED |> 0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 |> 0 0 LOG all -- * * 0.0.0.0/0 |> 0.0.0.0/0 LOG flags 0 level 6 prefix |> `Shorewall:net2all:DROP:'' |> 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 | |> Just a bit ago, I started researching basic funciotns that may have |> effected the output. So I went and modified some of the action files |> RejectSMB, DropSMB, and Allow SMB. | Please keep your replies on the list. So are you saying that you had previously copied those action files to /etc/shorewall then modified them? At any rate, it is expected that Drop will invoke DropSMB which silently drops TCP 445 before it reaches the LOG rule shown in the output above. So if you are seeing TCP 445 being logged by that rule, then something is amiss in Drop/DropSMB. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBRwdgO/MAbZfjDLIRAvicAJ0ezv5p8A182tV/LOQjZkIdSzjILgCfZ9G1 8q9obDOErwiMI3hdoVYenGI=7Oqg -----END PGP SIGNATURE-----
On Tue, 14 Sep 2004 07:59:44 -0700, Tom Eastep <teastep@shorewall.net> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Bryan Scott wrote: > | On Tue, 14 Sep 2004 07:25:01 -0700, Tom Eastep <teastep@shorewall.net> > wrote: > > | | > | | There is something very basic that is wrong with your configuration -- > | | logging of traffic to TCP port 445 is suppressed by the default > | | Shorewall ''Reject'' and ''Drop'' common actions. > | | > | > | What output does "shorewall show net2all" produce? > | > | > |> Shorewall-2.0.1 Chain net2all at bigdog.reydr.com - Tue Sep 14 > 09:42:23 CDT 2004 > | > |> Counters reset Tue Sep 14 09:40:18 CDT 2004 > | > |> Chain net2all (2 references) > |> pkts bytes target prot opt in out source > destination > |> 0 0 ACCEPT all -- * * 0.0.0.0/0 > |> 0.0.0.0/0 state RELATED,ESTABLISHED > |> 0 0 Drop all -- * * 0.0.0.0/0 > 0.0.0.0/0 > |> 0 0 LOG all -- * * 0.0.0.0/0 > |> 0.0.0.0/0 LOG flags 0 level 6 prefix > |> `Shorewall:net2all:DROP:'' > |> 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 > | > |> Just a bit ago, I started researching basic funciotns that may have > |> effected the output. So I went and modified some of the action files > |> RejectSMB, DropSMB, and Allow SMB. > | > > Please keep your replies on the list. > > So are you saying that you had previously copied those action files to > /etc/shorewall then modified them?No, I modified them directly in /usr/share/shorewall. If I remember correctly, I modified them sometime in June or July when I was working on SAMBA. When you mentioned it was probably something basic, I went back and reviewed them and changed realizing in my hasty changes to get SAMBA to work I may have modded them. This is the latest: DROP - - udp 135 etc.... previously they were ( I modified them, I think in June or July) DROP net - udp 135 etc...> > At any rate, it is expected that Drop will invoke DropSMB which silently > drops TCP 445 before it reaches the LOG rule shown in the output above. > So if you are seeing TCP 445 being logged by that rule, then something > is amiss in Drop/DropSMB.Hopefully the latest change, ''back to original''?, will put me back to where I started from. Thank you so much for Shorewall, and your commitment to supporting it. -Bryan> > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBRwdgO/MAbZfjDLIRAvicAJ0ezv5p8A182tV/LOQjZkIdSzjILgCfZ9G1 > 8q9obDOErwiMI3hdoVYenGI> =7Oqg > -----END PGP SIGNATURE----- >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bryan Scott wrote: | On Tue, 14 Sep 2004 07:59:44 -0700, Tom Eastep <teastep@shorewall.net> wrote:. | | So are you saying that you had previously copied those action files to | /etc/shorewall then modified them? | | |> No, I modified them directly in /usr/share/shorewall. Beware that if you modify *any* file in /usr/share/shorwall, your changes will be lost at the next upgrade. It is always advisable to copy a file that you want to change to /etc/shorewall and modify the copy. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBRw4rO/MAbZfjDLIRAthQAJ9QJH/FpIC4e1GsA07w2vKWv+X4jgCgkKt2 IsUntQBjWfyyhl3QkRTkL1s=be0A -----END PGP SIGNATURE-----