Shorewall users - Mar 2012 - blocking INVALID packet leakage

I''ve been rather annoyed by the RFC1918 packets showing up on the
public
(kind of, it''s complicated) side of my NAT router.  I found some good
summaries of the problem and its cause:

http://ubuntuforums.org/archive/index.php/t-1689959.html
http://bugzilla.netfilter.org/show_bug.cgi?id=693
http://www.smythies.com/~doug/network/iptables_notes/index.html

The best fix seems to be adding one of these lines to the FORWARD table,
depending on your preferred approach:
-A FORWARD -i $INTIF -p tcp -m state --state INVALID -j DROP
-A FORWARD -i $INTIF -p tcp ! --syn -m state --state NEW -j DROP

I know shorewall produces an Invalid table, which is called from the
Drop & Reject tables, but those are only called after a packet has
failed to match most of the rules (but just before the final DROP rule,
at least in the table I''m looking at right now, probably per
/etc/shorewall/policy file).

Can a rule be inserted in one of the ALL/ESTABLISHED/RELATED/NEW
sections of /etc/shorewall/rules in such a way that it will only apply
to INVALID packets?  I don''t think so, unless there''s some
convoluted
logic that can apply it to INVALID but not the other states that fit in
the NEW section.  If not, what is the best way to get a rule with a
similar effect in my tables?  I see no way to put a state match directly
in a rule entry in /etc/shorewall/rules, either.

For reference, I''m still using 4.4.23.3 both on the machine I use for
man pages, and on the router.  I think the router may have still been
4.4.17 last time I did a shorewall restart.

-- 
J. Randall Owens | http://www.ghiapet.net/
ProofReading Markup Language | http://www.prml.org/


------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

On 03/06/2012 08:16 PM, J. Randall Owens wrote:
> I''ve been rather annoyed by the RFC1918 packets showing up on the
public
> (kind of, it''s complicated) side of my NAT router.  I found some
good
> summaries of the problem and its cause:
> 
> http://ubuntuforums.org/archive/index.php/t-1689959.html
> http://bugzilla.netfilter.org/show_bug.cgi?id=693
> http://www.smythies.com/~doug/network/iptables_notes/index.html
> 
> The best fix seems to be adding one of these lines to the FORWARD table,
> depending on your preferred approach:
> -A FORWARD -i $INTIF -p tcp -m state --state INVALID -j DROP
> -A FORWARD -i $INTIF -p tcp ! --syn -m state --state NEW -j DROP
> 
> I know shorewall produces an Invalid table, which is called from the
> Drop & Reject tables, but those are only called after a packet has
> failed to match most of the rules (but just before the final DROP rule,
> at least in the table I''m looking at right now, probably per
> /etc/shorewall/policy file).
> 
> Can a rule be inserted in one of the ALL/ESTABLISHED/RELATED/NEW
> sections of /etc/shorewall/rules in such a way that it will only apply
> to INVALID packets?  I don''t think so, unless there''s
some convoluted
> logic that can apply it to INVALID but not the other states that fit in
> the NEW section.  If not, what is the best way to get a rule with a
> similar effect in my tables?  I see no way to put a state match directly
> in a rule entry in /etc/shorewall/rules, either.
> 
> For reference, I''m still using 4.4.23.3 both on the machine I use
for
> man pages, and on the router.  I think the router may have still been
> 4.4.17 last time I did a shorewall restart.
>
Shorewall has two actions that will do what you want: action.Invalid and
action.NotSyn. Both take two parameters:

- action (required ) - must be ACCEPT, DROP, or REJECT
- audit (optional)   - If supplied, must be ''audit'' and causes
the
                       action to be audited.

Invalid packets are passed through the rules in the NEW section, so you
can use these actions there (or in the ALL section).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/