[Firehol-support] ACK RST on rejected services
Rich
forums at artfulrobot.uk
Wed Mar 11 15:10:24 GMT 2015
Hello super-helpful and knowledgeable beings!
So I think the pertinent part of my config looks like this:
interface4 eth0 foo src $MY_LAN_SUBNET dst $MY_LAN_IP
policy reject
client all accept
server all reject
The last line is there so we don't log the rejections. However, if I
then from another machine (10.67.5.4) on the LAN send a packet (e.g.
with netcat) to this then I still see in the logs:
OUT-foo:IN= OUT=eth0 SRC=$MY_LAN_IP DST=10.67.5.4 LEN=40 TOS=0x00
PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=3306 DPT=55237 WINDOW=0 RES=0x00
ACK RST URGP=0
there is no logging on the IN part, because of the "server all reject"
config. I would have expected that to also not log the reciprocal line
in the OUT chain? (because it's explicitly rejected)
Is there a way to silence these in the logs? If it's rejected the
packet, why is there an ACK RST going back anyway?
Thanks,
Rich
More information about the Firehol-support
mailing list