Hi, I''ve been using Shorewall with satisfaction for some two years now. A few days ago I decided to try to tighten the configuration as much I could. This meant changing the OUTPUT policy to REJECT, and RELATED_DISPOSITION to DROP, while the INPUT policy has been set to REJECT. And, well, I ran into the following problem: Whenever a TCP connection attempt is to be rejected, a related TCP RST packet is sent. With RELATED_DISPOSITION set to DROP, this reply is dropped, leading to long timeouts. Is there currently any way to include a rule in the related section of the shorewall-rules file that allows outgoing TCP RST packets without using Perl? I''m really not a Perl programmer whatsoever... Two example syslog messages: [2012-05-06 18:10:05] hq [kernel/-] [kern.debug]: SW:fw2net:LOG:REL2POL IN= OUT=eth0 SRC=79.170.93.130 DST=79.1.157.73 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=23 DPT=2794 WINDOW=0 RES=0x00 ACK RST URGP=0 [2012-05-06 18:10:05] hq [kernel/-] [kern.debug]: SW:+fw2net:ACCEPT:IN= OUT=eth0 SRC=79.170.93.130 DST=79.1.157.73 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=23 DPT=2794 WINDOW=0 RES=0x00 ACK RST URGP=0 The first message is a log rule at the end of the related section of the rules file, and the second (I think) is about the same connection attempt and the result of RELATED_LOG_LEVEL=debug in shorewall.conf. As you can see, I''ve changed RELATED_DISPOSITION to ACCEPT right now, since that is the easiest solution for now. Thank you for your time, Sascha Sanches ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 5/6/12 9:35 AM, Sascha Sanches wrote:> Hi, > > I''ve been using Shorewall with satisfaction for some two years now. A few > days ago I decided to try to tighten the configuration as much I could. This > meant changing the OUTPUT policy to REJECT, and RELATED_DISPOSITION to DROP, > while the INPUT policy has been set to REJECT. And, well, I ran into the > following problem: > > Whenever a TCP connection attempt is to be rejected, a related TCP RST > packet is sent. With RELATED_DISPOSITION set to DROP, this reply is dropped, > leading to long timeouts. > > Is there currently any way to include a rule in the related section of the > shorewall-rules file that allows outgoing TCP RST packets without using > Perl? I''m really not a Perl programmer whatsoever... > > Two example syslog messages: > > [2012-05-06 18:10:05] hq [kernel/-] [kern.debug]: SW:fw2net:LOG:REL2POL IN= > OUT=eth0 SRC=79.170.93.130 DST=79.1.157.73 LEN=40 TOS=0x00 PREC=0x00 TTL=64 > ID=0 DF PROTO=TCP SPT=23 DPT=2794 WINDOW=0 RES=0x00 ACK RST URGP=0 > [2012-05-06 18:10:05] hq [kernel/-] [kern.debug]: SW:+fw2net:ACCEPT:IN= > OUT=eth0 SRC=79.170.93.130 DST=79.1.157.73 LEN=40 TOS=0x00 PREC=0x00 TTL=64 > ID=0 DF PROTO=TCP SPT=23 DPT=2794 WINDOW=0 RES=0x00 ACK RST URGP=0 > > The first message is a log rule at the end of the related section of the > rules file, and the second (I think) is about the same connection attempt > and the result of RELATED_LOG_LEVEL=debug in shorewall.conf. As you can see, > I''ve changed RELATED_DISPOSITION to ACCEPT right now, since that is the > easiest solution for now.Here''s an action that matches RSTs. Be sure that you use the tcpflags option with this. -Tom PS -- be sure to add the action to your /etc/shorewall/actions file. -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> From: Tom Eastep > Sent: Sunday, May 06, 2012 9:11 PM > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] Output policy DROP > withRELATED_DISPOSITION=DROP > > On 5/6/12 9:35 AM, Sascha Sanches wrote: > > Hi, > > > > I''ve been using Shorewall with satisfaction for some two years now. A > > few > > days ago I decided to try to tighten the configuration as much I could. > > This > > meant changing the OUTPUT policy to REJECT, and RELATED_DISPOSITION to > > DROP, > > while the INPUT policy has been set to REJECT. And, well, I ran into the > > following problem: > > > > Whenever a TCP connection attempt is to be rejected, a related TCP RST > > packet is sent. With RELATED_DISPOSITION set to DROP, this reply is > > dropped, > > leading to long timeouts. > > > > Is there currently any way to include a rule in the related section of > > the > > shorewall-rules file that allows outgoing TCP RST packets without using > > Perl? I''m really not a Perl programmer whatsoever... > > > > Two example syslog messages: > > > > [2012-05-06 18:10:05] hq [kernel/-] [kern.debug]: SW:fw2net:LOG:REL2POL > > IN> > OUT=eth0 SRC=79.170.93.130 DST=79.1.157.73 LEN=40 TOS=0x00 PREC=0x00 > > TTL=64 > > ID=0 DF PROTO=TCP SPT=23 DPT=2794 WINDOW=0 RES=0x00 ACK RST URGP=0 > > [2012-05-06 18:10:05] hq [kernel/-] [kern.debug]: SW:+fw2net:ACCEPT:IN> > OUT=eth0 SRC=79.170.93.130 DST=79.1.157.73 LEN=40 TOS=0x00 PREC=0x00 > > TTL=64 > > ID=0 DF PROTO=TCP SPT=23 DPT=2794 WINDOW=0 RES=0x00 ACK RST URGP=0 > > > > The first message is a log rule at the end of the related section of the > > rules file, and the second (I think) is about the same connection > > attempt > > and the result of RELATED_LOG_LEVEL=debug in shorewall.conf. As you can > > see, > > I''ve changed RELATED_DISPOSITION to ACCEPT right now, since that is the > > easiest solution for now. > > Here''s an action that matches RSTs. Be sure that you use the tcpflags > option with this. > > -Tom > > PS -- be sure to add the action to your /etc/shorewall/actions file. > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________Hello Tom, Many thanks, your solution works perfectly!! Sascha. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/