[fw-wiz] Stateful inspect on return web traffic - eek!

From: Brett Charbeneau (brett_at_wrl.org)
Date: 12/09/03

  • Next message: Melson, Paul: "RE: [fw-wiz] SunScreen Log Analyzer"
    To: firewall-wizards@honor.icsalabs.com
    Date: Tue, 9 Dec 2003 11:33:13 -0500 (EST)
    
    

    Greetings,

            If anyone can help me figure out what's going on with my logs, I'd
    be EXTREMELY grateful!
            I have a handful of firewalls around my institution that are using
    the 2.4.20 Linux kernel, have iptables v1.2.7a, and default drop
    policies. The workstations behind the firewalls are on NAT'd networks and
    have these commands for connection tracking:

    iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

            I've recently set up a Squid proxy with the same specifics but
    obviously minus the NAT'd network. Except for the explicit allow
    statements for the Squid process and necessary SSH access, the rules are
    very simple - default drop except for related return traffic.
            In all these instances, I have an iptables rule to log any dropped
    packets and I've been seeing some really strange web-related *return*
    traffic that isn't being allowed back in.
            Me no get.
            I've got an example below and they look to me to be replies to web
    clients that *should* be associated with outgoing traffic but somehow
    isn't and the traffic is being dropped.
            I've not heard complaints about certain web sites being
    unreachable, so the clients must be getting their traffic somehow, but
    clearly something is amiss.
            Any guidance or hints anyone can provide would be greatly
    appreciated!

    -- 
    Brett Charbeneau, Network Administrator         Tel: 757-259-7750
    Williamsburg Regional Library                   FAX: 757-259-7798
    7770 Croaker Road                               brett@wrl.org
    Williamsburg, VA 23188-7064                     http://www.wrl.org
    Dec  9 11:19:45 reliant kernel: KILLED!: IN=eth0 OUT= 
    MAC=00:10:4b:34:51:22:00:00:0c:5d:85:ae:08:00 SRC=216.75.202.105 
    DST=209.96.177.53 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=33958 DF PROTO=TCP 
    SPT=80 DPT=49788 WINDOW=31856 RES=0x00 ACK FIN URGP=0 
    Dec  9 11:19:47 reliant kernel: KILLED!: IN=eth0 OUT= 
    MAC=00:10:4b:34:51:22:00:00:0c:5d:85:ae:08:00 SRC=216.75.202.105 
    DST=209.96.177.53 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=34028 DF PROTO=TCP 
    SPT=80 DPT=49788 WINDOW=31856 RES=0x00 ACK FIN URGP=0 
    Dec  9 11:19:47 reliant kernel: KILLED!: IN=eth0 OUT= 
    MAC=00:10:4b:34:51:22:00:00:0c:5d:85:ae:08:00 SRC=207.68.178.238 
    DST=209.96.177.53 LEN=41 TOS=0x00 PREC=0x00 TTL=235 ID=50490 PROTO=TCP 
    SPT=80 DPT=49476 WINDOW=16133 RES=0x00 ACK PSH URGP=0 
    Dec  9 11:19:49 reliant kernel: KILLED!: IN=eth0 OUT= 
    MAC=00:10:4b:34:51:22:00:00:0c:5d:85:ae:08:00 SRC=216.75.202.105 
    DST=209.96.177.53 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=34417 DF PROTO=TCP 
    SPT=80 DPT=49788 WINDOW=31856 RES=0x00 ACK FIN URGP=0 
    Dec  9 11:19:55 reliant kernel: KILLED!: IN=eth0 OUT= 
    MAC=00:10:4b:34:51:22:00:00:0c:5d:85:ae:08:00 SRC=216.75.202.105 
    DST=209.96.177.53 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=34750 DF PROTO=TCP 
    SPT=80 DPT=49788 WINDOW=31856 RES=0x00 ACK FIN URGP=0 
    Dec  9 11:19:58 reliant kernel: KILLED!: IN=eth0 OUT= 
    MAC=00:10:4b:34:51:22:00:00:0c:5d:85:ae:08:00 SRC=216.75.203.112 
    DST=209.96.177.53 LEN=467 TOS=0x00 PREC=0x00 TTL=236 ID=20775 DF PROTO=TCP 
    SPT=81 DPT=49378 WINDOW=10136 RES=0x00 ACK PSH FIN URGP=0 
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Melson, Paul: "RE: [fw-wiz] SunScreen Log Analyzer"