Strange REJECT messages in dmesg

Discussion:

(too old to reply)

William Unruh

2022-03-31 21:06:07 UTC

I am getting a whole bunch of messages in dmeg which look like the
following

Shorewall:sshc-fw:REJECT:IN=enp4s0 OUT= MAC=f8:32:e4:70:14:5b:f4:4e:05:08:4b:00:08:00 SRC=101.227.98.81 DST=142.103.234.23 LEN=52 TOS=0x00 PREC=0x00 TTL=44 ID=50529 DF PROTO=ICMP TYPE=8 CODE=0 ID=18477 SEQ=22560

sshc is a "host" entry in /etc/shorewall/hosts. It starts like
sshc enp+:14.208.0.0/12,31.162.0.0/18....

I assume sshc-fw is a comment that it is the sshc firewall rule that is
producing there Rejects, but there is not sshc firewall rule which says
to REJECT ICMP packets.And a REJECT would be wrong anyway since it would
be a reply to the remote machine.

The only ICMP rule I had was an ACCEPT rule for a local range of
addresses.

Bit Twister

2022-03-31 21:41:13 UTC

Permalink

Post by William Unruh
I am getting a whole bunch of messages in dmeg which look like the
following
Shorewall:sshc-fw:REJECT:IN=enp4s0 OUT= MAC=f8:32:e4:70:14:5b:f4:4e:05:08:4b:00:08:00 SRC=101.227.98.81 DST=142.103.234.23 LEN=52 TOS=0x00 PREC=0x00 TTL=44 ID=50529 DF PROTO=ICMP TYPE=8 CODE=0 ID=18477 SEQ=22560
sshc is a "host" entry in /etc/shorewall/hosts. It starts like
sshc enp+:14.208.0.0/12,31.162.0.0/18....
I assume sshc-fw is a comment that it is the sshc firewall rule that is
producing there Rejects, but there is not sshc firewall rule which says
to REJECT ICMP packets.And a REJECT would be wrong anyway since it would
be a reply to the remote machine.
The only ICMP rule I had was an ACCEPT rule for a local range of
addresses.

I do not use the /hosts file and never seen :sshc-fw:

Keep in mind that shorewall runs through the rules file and if no rule
is found for the connection then the default option is taken which I think
is Drop in my setup.

William Unruh

2022-03-31 23:28:33 UTC

Permalink

Post by Bit Twister

I assume that designates a rule for packets from the sshc zone(shorewall/zone)
and IP addresses (shorewall/hosts) to the firewall.
The sshc zone is a set of subnets which have been shown to generate a
lot of ssh attacks ( as seen in auth.log failed login attempts.) which I
permanantly ban instead of temporarily in the sshd zone with hosts
listed in ipset.

Post by Bit Twister
Keep in mind that shorewall runs through the rules file and if no rule
is found for the connection then the default option is taken which I think
is Drop in my setup.

Well, I have various groups of hosts that are controlled differently.
Thus my immediate subnet I want to control differently, and from my
reading it seemed that that was done via the hosts file.
Thus my immediate work environment I want to be pretty liberal in what
ports it accepts. My home network, is more liberal than the net but
somewhat more tightly controlled than my work subnet. I use ipset to
define a bunch of Ip adresses that are not allowed to connect to the ssh
ports (set up from too many bad attempts in /var/log/auth.log), but
since I travel a lot, I do not want to ban everything or I could not log
in from outside when I am in Ulan Bator say trying to log in.
Ie each zone with their hosts in that zone (defined in the host file) is
treated differently by the firewall.
From my, admittedly tenuous, understanding, that is what Zones and Hosts
is for.

But for some reason, the sshc ( which are lists of IP groups of
addresses, say 111.12.0.0/14-- which would be expanded into about
300000 addresses if I put them into an ipset list) zone is being treated
differently, and is REJECTing the connection and thus sending back a
rejection message, letting the other side know I exist, rather than DROPing it.
They seem all to be ICMP type 8 requests.

David W. Hodgins

2022-03-31 21:41:35 UTC

Permalink

From "man shorewall-hosts"
Most simple setups don't need to (should not) place anything in this file.

There are also two warnings in the man page.
I've added nothing to /etc/shorewall/hosts on any system I control.

PROTO=ICMP TYPE=8 = Echo (aka ping).
SRC=101.227.98.81 shows it's coming from chinatelecom.cn

On my systems, I accept all icmp traffic. See
https://blog.paessler.com/disabling-icmp-and-snmp-wont-increase-security-but-will-impact-network-monitoring

By blocking icmp traffic, packets being sent may be rejected due to being to large
for some hop along it's path, but your system will not know it. Same if a packet
get's rejected somewhere along it's path due to a timeout.

Having outgoing packets getting dropped without your system getting the notifications
means your system will eventually retry the packet, after a longer than needed delay.
It will slow down the transfer rate of data.

In /etc/shorewall/policy, Mageia systems normally have a line with ...
net all DROP

Clearly, the changes being made to shorewall configuration has caused that to be
bypassed and fall through to the next line which has ...
all all REJECT info

To avoid ping floods, block icmp type 8 at the router, but leave the other icmp
types open.

Regards, Dave Hodgins