Quantcast
Channel: EdgeRouter topics
Viewing all articles
Browse latest Browse all 20028

firewall session timeout

May 27, 2016, 10:15 pm
$
0
0

 

After I applied the basic IPv6 ingress firewall rule (stateful inspection). The log indicates some packets from Google are keep getting dropped. I am not seeing any service impact. What is broken here?

 

 

ipv6-name wan_in-6 {
        default-action drop
        description wan_in
        enable-default-log
        rule 1 {
            action accept
            description "Allow Enabled/Related state"
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 5 {
            action accept
            description "Allow ICMPv6"
            log enable
            protocol icmpv6
        }
        rule 6 {
            action accept
            description "Allow DHCPv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }

 

log (mac, ipv6 address masked)

 

May 28 05:00:02 erlite-3 kernel: [wan_in-6-2-D]IN=eth0 OUT=eth1 MAC=xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:xx:dd src=2607:ffff:ffff:ffff:0000:0000:0000:1111 DST=3333:3333:3333:3333::1 LEN=60 TC=0 HOPLIMIT=53 FLOWLBL=0 PROTO=TCP SPT=80 DPT=55560 WINDOW=0 RES=0x00 RST URGP=0 
May 28 05:00:02 erlite-3 kernel: [wan_in-6-2-D]IN=eth0 OUT=eth1 MAC=xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:xx:xx src=2607:ffff:ffff:ffff:0000:0000:0000:1111 DST=3333:3333:3333:3333::1 LEN=60 TC=0 HOPLIMIT=53 FLOWLBL=0 PROTO=TCP SPT=80 DPT=55560 WINDOW=0 RES=0x00 RST URGP=0 
May 28 05:00:03 erlite-3 kernel: [wan_in-6-2-D]IN=eth0 OUT=eth1 MAC=xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:xx:xx src=2607:ffff:ffff:ffff:0000:0000:0000:1111 DST=3333:3333:3333:3333::1 LEN=60 TC=0 HOPLIMIT=52 FLOWLBL=0 PROTO=TCP SPT=443 DPT=38911 WINDOW=0 RES=0x00 RST URGP=0 
May 28 05:00:03 erlite-3 kernel: [wan_in-6-2-D]IN=eth0 OUT=eth1 MAC=xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:xx:xx src=2607:ffff:ffff:ffff:0000:0000:0000:1111 DST=3333:3333:3333:3333::1 LEN=60 TC=0 HOPLIMIT=53 FLOWLBL=0 PROTO=TCP SPT=80 DPT=55560 WINDOW=0 RES=0x00 RST URGP=0 
May 28 05:01:04 erlite-3 kernel: last message repeated 2 times
May 28 05:04:04 erlite-3 kernel: [wan_in-6-2-D]IN=eth0 OUT=eth1 MAC=xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:xx:xx src=2607:ffff:ffff:ffff:0000:0000:0000:1111 DST=3333:3333:3333:3333::1 LEN=60 TC=0 HOPLIMIT=52 FLOWLBL=0 PROTO=TCP SPT=443 DPT=52953 WINDOW=0 RES=0x00 RST URGP=0 
May 28 05:04:04 erlite-3 kernel: [wan_in-6-2-D]IN=eth0 OUT=eth1 MAC=xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:Xx:xx:xx src=2607:ffff:ffff:ffff:0000:0000:0000:1111 DST=3333:3333:3333:3333::1 LEN=60 TC=0 HOPLIMIT=53 FLOWLBL=0 PROTO=TCP SPT=80 DPT=55560 WINDOW=0 RES=0x00 RST URGP=0

 

 

 

 

 

 

 

Search
Viewing all articles
Browse latest Browse all 20028
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>