Re: [Shorewall-users] few issues with new events feature in 4.5.19

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On 07/25/2013 08:24 AM, Tiemen Ruiten wrote:
> On 07/25/2013 04:44 PM, Tom Eastep wrote:
>> On 07/25/2013 07:02 AM, Tiemen Ruiten wrote:
>> I agree. Arch is currently at iptables 1.4.19.1, which doesn't have
>> support for the --reap option. So what is the proper way to fix
>> this/get this fixed?

Report a simple test case against iptables 1.4.19.1. '--reap' is valid
where '--seconds' is specified. For what it is worth, the 1.4.15 version
of libxt_recent.c is identical to the 1.4.19.1 version, so it is hard to
understand why the latter fails.

As to the dump output, here are the event contents:

SSH
   src=91.213.195.220 :  3145.677, 3141.175, 3102.787, 3085.985,
3081.069, 3078.482, 885.206, 10.630, 7.493, 3.977
   src=212.67.x.y :  305.844, 305.808, 303.253

According to the information at the top of the dump, the firewall was
reloaded 1556 seconds before the dump was started. Therefore, the first
6 connection events will not be reflected in the iptables rules counts.
They are still there because of your issue with '--reap'.

According to this chain, you need 5 hits in 120 seconds to trigger
blacklisting:

Chain %IfEvent (1 references)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0 SSH_BLACKLIST  all  --  *      *       0.0.0.0/0           
0.0.0.0/0            recent: CHECK seconds: 120 hit_count: 5 name: SSH
side: source mask: 255.255.255.255

Neither of the sets of connection events shown above will meet those
criteria (given that the first 6 packets aren't relevant).

According to this chain, you need two connection attempts within 3
seconds to trigger a reject:

Chain %IfEvent1 (1 references)
 pkts bytes target     prot opt in     out     source              
destination        
    1    60 ~log0      all  --  *      *       0.0.0.0/0           
0.0.0.0/0           [goto]  recent: UPDATE seconds: 3 hit_count: 1 name:
SSH side: source mask: 255.255.255.255

That rule was triggered

Jul 25 17:01:41 SSH_LIMIT:Added:IN=eth0 OUT= SRC=212.67.x.y
DST=149.210.n.m LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=27027 DF PROTO=TCP
SPT=14225 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0

So that attempt was rejected.

-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________