[Firehol-support] ACK RST on rejected services

Tsaousis, Costa costa at tsaousis.gr
Wed Mar 11 17:01:48 GMT 2015


Hm... interesting...

This is what happens:

1. Your client sends the TCP SYN packet
2. The firewall receives this TCP SYN packet and matches the rule to reject it
3. Since rejection is requested, the firewall should respond with a
TCP-RESET message to prevent timeout.
4. The firewall tries to send this TCP-RESET (ACK-RST), but...
5. It is not allowed to do so, by the policy...
6. Which logs it.

I'll try to look to it and come back with a solution.

Costa


On Wed, Mar 11, 2015 at 5:10 PM, Rich <forums at artfulrobot.uk> wrote:
>
>
> Hello super-helpful and knowledgeable beings!
>
> So I think the pertinent part of my config looks like this:
>
> interface4 eth0 foo src $MY_LAN_SUBNET dst $MY_LAN_IP
>
>  policy reject
>
>  client all accept
>
>  server all reject
>
> The last line is there so we don't log the rejections. However, if I
> then from another machine (10.67.5.4) on the LAN send a packet (e.g.
> with netcat) to this then I still see in the logs:
>
> OUT-foo:IN= OUT=eth0 SRC=$MY_LAN_IP DST=10.67.5.4 LEN=40 TOS=0x00
> PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=3306 DPT=55237 WINDOW=0 RES=0x00
> ACK RST URGP=0
>
> there is no logging on the IN part, because of the "server all reject"
> config. I would have expected that to also not log the reciprocal line
> in the OUT chain? (because it's explicitly rejected)
>
> Is there a way to silence these in the logs? If it's rejected the
> packet, why is there an ACK RST going back anyway?
>
> Thanks,
>
> Rich
>
>
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support



More information about the Firehol-support mailing list