search

fukawi2 / husk

Natural-language DSL for iptables/netfilter firewall rules.
http://huskfw.info
6 stars 1 forks source link

Erroneous LATE DROP logs #10

Closed fukawi2 closed 11 years ago

fukawi2 commented 11 years ago

There are often erroneous logs generated by the LATE DROP feature.

These occur for TCP packets where they are no valid NEW packets, I presume from script kiddies.

Note the mix of ACK FIN, ACK SYN and ACK RST flags in the packets which makes them invalid "NEW" connections so are not processed by a cross-zone block (eg, x_NET_ME):

Mar 13 12:57:03 www1 kernel: [LATE DROP] IN=eth0 OUT= MAC=f2:3c:91:70:43:9b:c8:4c:75:f5:d6:3f:08:00 SRC=8.28.16.254 DST=50.116.xx.xx LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=41572 PROTO=TCP SPT=45295 DPT=80 WINDOW=1032 RES=0x00 ACK FIN URGP=0 
Mar 13 12:58:07 www1 kernel: [LATE DROP] IN=eth0 OUT= MAC=f2:3c:91:70:43:9b:c8:4c:75:f5:d6:3f:08:00 SRC=8.28.16.254 DST=50.116.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=53 ID=65011 PROTO=TCP SPT=45295 DPT=80 WINDOW=1032 RES=0x00 ACK RST URGP=0 
Mar 13 13:19:40 www1 kernel: [LATE DROP] IN=eth0 OUT= MAC=f2:3c:91:70:43:9b:c8:4c:75:f5:d6:3f:08:00 SRC=198.1.68.147 DST=50.116.xx.xx LEN=44 TOS=0x00 PREC=0x00 TTL=57 ID=64735 PROTO=TCP SPT=80 DPT=29193 WINDOW=16384 RES=0x00 ACK SYN URGP=0
fukawi2 commented 11 years ago

Appears to be resolved after testing