[Firehol-support] ACK RST on rejected services

Tsaousis, Costa costa at tsaousis.gr
Wed Mar 11 21:55:55 CET 2015


ok. I just pushed the fix to github.

Thanks for reporting it.

To get the latest firehol do this:

git clone https://github.com/ktsaou/firehol.git firehol.git

The above will create directory firehol.git. FireHOL is sbin/firehol.in
You can run it from there.

Costa


On Wed, Mar 11, 2015 at 7:01 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
> Hm... interesting...
>
> This is what happens:
>
> 1. Your client sends the TCP SYN packet
> 2. The firewall receives this TCP SYN packet and matches the rule to reject it
> 3. Since rejection is requested, the firewall should respond with a
> TCP-RESET message to prevent timeout.
> 4. The firewall tries to send this TCP-RESET (ACK-RST), but...
> 5. It is not allowed to do so, by the policy...
> 6. Which logs it.
>
> I'll try to look to it and come back with a solution.
>
> Costa
>
>
> On Wed, Mar 11, 2015 at 5:10 PM, Rich <forums at artfulrobot.uk> wrote:
>>
>>
>> Hello super-helpful and knowledgeable beings!
>>
>> So I think the pertinent part of my config looks like this:
>>
>> interface4 eth0 foo src $MY_LAN_SUBNET dst $MY_LAN_IP
>>
>>  policy reject
>>
>>  client all accept
>>
>>  server all reject
>>
>> The last line is there so we don't log the rejections. However, if I
>> then from another machine (10.67.5.4) on the LAN send a packet (e.g.
>> with netcat) to this then I still see in the logs:
>>
>> OUT-foo:IN= OUT=eth0 SRC=$MY_LAN_IP DST=10.67.5.4 LEN=40 TOS=0x00
>> PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=3306 DPT=55237 WINDOW=0 RES=0x00
>> ACK RST URGP=0
>>
>> there is no logging on the IN part, because of the "server all reject"
>> config. I would have expected that to also not log the reciprocal line
>> in the OUT chain? (because it's explicitly rejected)
>>
>> Is there a way to silence these in the logs? If it's rejected the
>> packet, why is there an ACK RST going back anyway?
>>
>> Thanks,
>>
>> Rich
>>
>>
>> _______________________________________________
>> Firehol-support mailing list
>> Firehol-support at lists.firehol.org
>> http://lists.firehol.org/mailman/listinfo/firehol-support


More information about the Firehol-support mailing list