[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  anders knudsen <andersbk at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Block rule not silent.
 Date:  Mon, 20 Dec 2004 07:28:54 +0100 
On 19.12.2004 23:08 -0700, anders knudsen wrote:

> I've been steadily adding many large known spammer networks to the
> top of my firewall rules, blocking them completely...or so I
> thought.
> 
> I have a rule to block 61.0.0.0/8, and not log them, but just today
> got these entries. I would have expected these below to be silently
> dropped.
> 
> It's:
> @25 block in quick from 61.0.0.0/8 to any group 200
> 
> FYI, my m0n0wall is running in PPPoE mode via a bridged DSL modem.
> 
> Any ideas/comments?

These are TCP RSTs that probably came in without a SYN preceding
them, which is why the rule that ensures that all new TCP connections
must start with a SYN gets them (skip 1 in proto tcp from any to any
flags S/FSRA / block in log quick proto tcp from any to any).

- Manuel