[Firehol-support] ACK RST on rejected services

Rich forums at artfulrobot.uk
Wed Mar 11 15:10:24 GMT 2015


 

Hello super-helpful and knowledgeable beings! 

So I think the pertinent part of my config looks like this: 

interface4 eth0 foo src $MY_LAN_SUBNET dst $MY_LAN_IP 

 policy reject 

 client all accept 

 server all reject 

The last line is there so we don't log the rejections. However, if I
then from another machine (10.67.5.4) on the LAN send a packet (e.g.
with netcat) to this then I still see in the logs: 

OUT-foo:IN= OUT=eth0 SRC=$MY_LAN_IP DST=10.67.5.4 LEN=40 TOS=0x00
PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=3306 DPT=55237 WINDOW=0 RES=0x00
ACK RST URGP=0 

there is no logging on the IN part, because of the "server all reject"
config. I would have expected that to also not log the reciprocal line
in the OUT chain? (because it's explicitly rejected) 

Is there a way to silence these in the logs? If it's rejected the
packet, why is there an ACK RST going back anyway? 

Thanks, 

Rich 

 


More information about the Firehol-support mailing list