Discussion:
[Shorewall-users] dropNotSyn
Tom Eastep
2017-07-10 20:12:25 UTC
Permalink
Hi,
kernel: Shorewall:dropNotSyn:DROP:IN=enp9s6 OUT=
MAC=00:0d:88:cd:7f:c6:50:67:f0:af:f4:57:08:00 SRC=173.194.153.82
DST=192.168.101.2 LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=29119 PROTO=TCP
SPT=443 DPT=58079 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x3
What does it mean exactly?
This happens when Netfilter believes that flow is closed and deletes the
conntrack entry, while one of the end-points still thinks that the flow
is alive and sends an RST. In my own ruleset, I handle this with:

RST(ACCEPT) { SOURCE=all, DEST=all }

I have also seen similar problems with SYN,PSH,ACK packets, and added a
FIN action in 5.1.5. I use it similarly:

FIN(ACCEPT) { SOURCE=ALL, DEST=all }

-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
Tom Eastep
2017-07-11 14:21:51 UTC
Permalink
Post by Tom Eastep
________________________________
Post by Tom Eastep
This happens when Netfilter believes that flow is closed and deletes the
conntrack entry, while one of the end-points still thinks that the flow
RST(ACCEPT) { SOURCE=all, DEST=all }
I have also seen similar problems with SYN,PSH,ACK packets, and added a
FIN(ACCEPT) { SOURCE=ALL, DEST=all }
RST(ACCEPT) { SOURCE=all, DEST=all }
FIN(ACCEPT) { SOURCE=all, DEST=all }
and restarted shorewall.
Jul 11 11:07:57 inf-gw1 kernel: Shorewall:dropNotSyn:DROP:IN=enp9s5 OUT= MAC=00:0d:88:cd:7f:c5:00:13:f7:23:ef:b4:08:00 SRC=216.58.214.163 DST=192.168.100.2 LEN=1140 TOS=0x00 PREC=0x00 TTL=55 ID=32907 PROTO=TCP SPT=443 DPT=43579 WINDOW=351 RES=0x00 ACK PSH URGP=0 MARK=0x2
Jul 11 11:07:57 inf-gw1 kernel: Shorewall:dropNotSyn:DROP:IN=enp9s6 OUT= MAC=00:0d:88:cd:7f:c6:50:67:f0:af:f4:57:08:00 SRC=158.85.58.43 DST=192.168.101.2 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=30820 DF PROTO=TCP SPT=80 DPT=16779 WINDOW=514 RES=0x00 ACK RST URGP=0 MARK=0x3
Jul 11 11:07:57 inf-gw1 kernel: Shorewall:dropNotSyn:DROP:IN=enp9s5 OUT= MAC=00:0d:88:cd:7f:c5:00:13:f7:23:ef:b4:08:00 SRC=216.58.214.163 DST=192.168.100.2 LEN=856 TOS=0x00 PREC=0x00 TTL=55 ID=31520 PROTO=TCP SPT=443 DPT=35305 WINDOW=351 RES=0x00 ACK PSH URGP=0 MARK=0x2
# shorewall version
5.1.5
# grep -v ^# /usr/share/shorewall/action.RST | grep -v ^$
DEFAULTS DROP,-
@1 - - ;;+ -p 6 --tcp-flags RST RST
# grep -v ^# /usr/share/shorewall/action.FIN | grep -v ^$
DEFAULTS ACCEPT,-
@1 - - ;;+ -p 6 --tcp-flags ACK,FIN,PSH ACK,FIN,PSH
Functionally speaking, no user has yet reported issues accessing http or https sites.
I could ignore these messages although I wasn't getting them in previous systems.
In shorewall.conf, remove the ":$LOG" after 'dropNotSyn' in the
BLACKLIST_DEFAULT setting.

-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
Loading...