[Firehol-support] Blocked Traffic from port 993 and 443

Phil Whineray phil at firehol.org
Wed Jun 29 17:43:34 BST 2016 

On Wed, Jun 29, 2016 at 04:15:18PM +0200, Daniel Heckl wrote:
> I have set FIREHOL_DROP_ORPHAN_TCP_ACK_FIN="1“. The problem is still there. Another idea?

Can you be clear about what you think the problem is?

The log line you showed before is an RST packet, not an ACK-FIN packet,
so you need to set the appropriate variable.

The packets will be blocked regardless, only the logging is suppressed.

> "lsof -i :993" returns no (CLOSE_WAIT)-Ports, "lsof -i :443“ returns 11 (CLOSE_WAIT)-Ports...

Is therefore not affected by changing these variables.

My understanding of CLOSE_WAIT is that a process has been told the
connection is closed by the other end (e.g. a FIN was received) but
it has not yet closed the socket locally.

This means in your case that these are not likely to be related to the
delivery or non-delivery of orphan packets. The connection is being
closed, the netfilter connection tracker knows this but the process
which owns the socket is misbehaving (or at least taking some time).

> Here is a snipped of my firehol.conf
> 
> # Require release 6 of FireHOL configuration directives
> version 6
> 
> # log
> FIREHOL_LOG_PREFIX="firehol: "
> FIREHOL_DROP_ORPHAN_TCP_ACK_FIN="1"
> 
> ...
> 
> # NIC connected with internet and lan
> nic="eth0"
> 
> ...
> 
> interface "${nic}" lan src4 "${lan} ${openvpn} ${l2tp}" src6 fc00::/7
>         server ipv6error accept
>         client ipv6neigh accept
>         server ipv6neigh accept
>         server ssh accept
>         server http accept
>         server https accept
>         server httpalt accept
>         server ICMP accept
>         server ICMPV6 accept
>         client all accept
> 
> interface "${nic}" internet
>         server ipv6error accept
>         client ipv6neigh accept
>         server ipv6neigh accept
>         client ipv6router accept
>         server submission accept
>         client submission accept
>         server smtp accept
>         client smtp accept
>         server smtps accept
>         client smtps accept
>         server imap accept
>         client imap accept
>         server imaps accept
>         client imaps accept
>         client ICMP accept
>         client ICMPV6 accept
>         server httpalt accept
>         client httpalt accept
>         client http accept
>         client https accept
>         client snmp accept
>         client ntp accept
>         client ftp accept
>         client ssh accept
>         client traceroute accept
>         client dns accept
> Thanks
> Daniel
> 
> > Am 29.06.2016 um 14:54 schrieb Phil Whineray <phil at firehol.org>:
> > 
> > Hi
> > 
> > On Wed, Jun 29, 2016 at 12:02:38PM +0200, Daniel Heckl wrote:
> >> firehol/iptables blocks frequent traffic from our Google IMAP Server and one update server with port 443.
> >> 
> >> e.g.:
> >> firehol: IN-internet:IN=eth0 OUT= MAC=00:21:5e:69:e6:3d:xx:xx:xx:xx:xx:xx:xx:xx SRC=64.233.xxx.xxx DST=10.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63784 PROTO=TCP SPT=993 DPT=58917 WINDOW=0 RES=0x00 RST URGP=0 
> >> 
> >> snipped from my firehol.conf:
> >> interface eth1 internet
> >> 	...
> >>        server imaps accept
> >>        client imaps accept
> >>        client https accept
> >> 	...
> >> 
> >> The opened ports for the https connection are in status (CLOSE_WAIT).
> >> 
> >> Why is my traffic blocked?
> > 
> > Take a look at the FIREHOL_DROP_ORPHAN_TCP_... entries here:
> > 
> >  http://firehol.org/firehol-manual/firehol-variables/
> > 
> > Essentially the connection tracker is forgetting the connection before
> > the final packet is sent. You can use the variables to make firehol
> > silent on the subject.
> > 
> > Hope that helps
> > Phil
>

More information about the Firehol-support mailing list