1. Forum
  2. FidoNet
  3. ALT.OS.LINUX.MAGEIA

  • Strange REJECT messages in dmesg

    From William Unruh@2:250/1 to All on Thu Mar 31 22:06:07 2022
    I am getting a whole bunch of messages in dmeg which look like the
    following

    Shorewall:sshc-fw:REJECT:IN=enp4s0 OUT= MAC=f8:32:e4:70:14:5b:f4:4e:05:08:4b:00:08:00 SRC=101.227.98.81 DST=142.103.234.23 LEN=52 TOS=0x00 PREC=0x00 TTL=44 ID=50529 DF PROTO=ICMP TYPE=8 CODE=0 ID=18477 SEQ=22560

    sshc is a "host" entry in /etc/shorewall/hosts. It starts like
    sshc enp+:14.208.0.0/12,31.162.0.0/18....

    I assume sshc-fw is a comment that it is the sshc firewall rule that is producing there Rejects, but there is not sshc firewall rule which says
    to REJECT ICMP packets.And a REJECT would be wrong anyway since it would
    be a reply to the remote machine.

    The only ICMP rule I had was an ACCEPT rule for a local range of
    addresses.

    --- MBSE BBS v1.0.8 (Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From Bit Twister@2:250/1 to All on Thu Mar 31 22:41:13 2022
    On Thu, 31 Mar 2022 21:06:07 -0000 (UTC), William Unruh wrote:
    I am getting a whole bunch of messages in dmeg which look like the
    following

    Shorewall:sshc-fw:REJECT:IN=enp4s0 OUT= MAC=f8:32:e4:70:14:5b:f4:4e:05:08:4b:00:08:00 SRC=101.227.98.81 DST=142.103.234.23 LEN=52 TOS=0x00 PREC=0x00 TTL=44 ID=50529 DF PROTO=ICMP TYPE=8 CODE=0 ID=18477 SEQ=22560

    sshc is a "host" entry in /etc/shorewall/hosts. It starts like
    sshc enp+:14.208.0.0/12,31.162.0.0/18....

    I assume sshc-fw is a comment that it is the sshc firewall rule that is producing there Rejects, but there is not sshc firewall rule which says
    to REJECT ICMP packets.And a REJECT would be wrong anyway since it would
    be a reply to the remote machine.

    The only ICMP rule I had was an ACCEPT rule for a local range of
    addresses.

    I do not use the /hosts file and never seen :sshc-fw:

    Keep in mind that shorewall runs through the rules file and if no rule
    is found for the connection then the default option is taken which I think
    is Drop in my setup.

    --- MBSE BBS v1.0.8 (Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From David W. Hodgins@2:250/1 to All on Thu Mar 31 22:41:35 2022
    On Thu, 31 Mar 2022 17:06:07 -0400, William Unruh <unruh@invalid.ca> wrote:

    I am getting a whole bunch of messages in dmeg which look like the
    following

    Shorewall:sshc-fw:REJECT:IN=enp4s0 OUT= MAC=f8:32:e4:70:14:5b:f4:4e:05:08:4b:00:08:00 SRC=101.227.98.81 DST=142.103.234.23 LEN=52 TOS=0x00 PREC=0x00 TTL=44 ID=50529 DF PROTO=ICMP TYPE=8 CODE=0 ID=18477 SEQ=22560

    sshc is a "host" entry in /etc/shorewall/hosts. It starts like
    sshc enp+:14.208.0.0/12,31.162.0.0/18....

    I assume sshc-fw is a comment that it is the sshc firewall rule that is producing there Rejects, but there is not sshc firewall rule which says
    to REJECT ICMP packets.And a REJECT would be wrong anyway since it would
    be a reply to the remote machine.

    The only ICMP rule I had was an ACCEPT rule for a local range of
    addresses.

    From "man shorewall-hosts"
    Most simple setups don't need to (should not) place anything in this file.

    There are also two warnings in the man page.
    I've added nothing to /etc/shorewall/hosts on any system I control.

    PROTO=ICMP TYPE=8 = Echo (aka ping).
    SRC=101.227.98.81 shows it's coming from chinatelecom.cn

    On my systems, I accept all icmp traffic. See https://blog.paessler.com/disabling-icmp-and-snmp-wont-increase-security-but-will-impact-network-monitoring

    By blocking icmp traffic, packets being sent may be rejected due to being to large
    for some hop along it's path, but your system will not know it. Same if a packet
    get's rejected somewhere along it's path due to a timeout.

    Having outgoing packets getting dropped without your system getting the notifications
    means your system will eventually retry the packet, after a longer than needed delay.
    It will slow down the transfer rate of data.

    In /etc/shorewall/policy, Mageia systems normally have a line with ...
    net all DROP

    Clearly, the changes being made to shorewall configuration has caused that to be
    bypassed and fall through to the next line which has ...
    all all REJECT info

    To avoid ping floods, block icmp type 8 at the router, but leave the other icmp types open.

    Regards, Dave Hodgins

    --- MBSE BBS v1.0.8 (Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From William Unruh@2:250/1 to All on Fri Apr 1 00:28:33 2022
    On 2022-03-31, Bit Twister <BitTwister@mouse-potato.com> wrote:
    On Thu, 31 Mar 2022 21:06:07 -0000 (UTC), William Unruh wrote:
    I am getting a whole bunch of messages in dmeg which look like the
    following

    Shorewall:sshc-fw:REJECT:IN=enp4s0 OUT= MAC=f8:32:e4:70:14:5b:f4:4e:05:08:4b:00:08:00 SRC=101.227.98.81 DST=142.103.234.23 LEN=52 TOS=0x00 PREC=0x00 TTL=44 ID=50529 DF PROTO=ICMP TYPE=8 CODE=0 ID=18477 SEQ=22560

    sshc is a "host" entry in /etc/shorewall/hosts. It starts like
    sshc enp+:14.208.0.0/12,31.162.0.0/18....

    I assume sshc-fw is a comment that it is the sshc firewall rule that is
    producing there Rejects, but there is not sshc firewall rule which says
    to REJECT ICMP packets.And a REJECT would be wrong anyway since it would
    be a reply to the remote machine.

    The only ICMP rule I had was an ACCEPT rule for a local range of
    addresses.

    I do not use the /hosts file and never seen :sshc-fw:

    I assume that designates a rule for packets from the sshc zone(shorewall/zone) and IP addresses (shorewall/hosts) to the firewall.
    The sshc zone is a set of subnets which have been shown to generate a
    lot of ssh attacks ( as seen in auth.log failed login attempts.) which I permanantly ban instead of temporarily in the sshd zone with hosts
    listed in ipset.


    Keep in mind that shorewall runs through the rules file and if no rule
    is found for the connection then the default option is taken which I think
    is Drop in my setup.

    Well, I have various groups of hosts that are controlled differently.
    Thus my immediate subnet I want to control differently, and from my
    reading it seemed that that was done via the hosts file.
    Thus my immediate work environment I want to be pretty liberal in what
    ports it accepts. My home network, is more liberal than the net but
    somewhat more tightly controlled than my work subnet. I use ipset to
    define a bunch of Ip adresses that are not allowed to connect to the ssh
    ports (set up from too many bad attempts in /var/log/auth.log), but
    since I travel a lot, I do not want to ban everything or I could not log
    in from outside when I am in Ulan Bator say trying to log in.
    Ie each zone with their hosts in that zone (defined in the host file) is treated differently by the firewall.
    From my, admittedly tenuous, understanding, that is what Zones and Hosts
    is for.

    But for some reason, the sshc ( which are lists of IP groups of
    addresses, say 111.12.0.0/14-- which would be expanded into about
    300000 addresses if I put them into an ipset list) zone is being treated differently, and is REJECTing the connection and thus sending back a
    rejection message, letting the other side know I exist, rather than DROPing it. They seem all to be ICMP type 8 requests.


    --- MBSE BBS v1.0.8 (Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)