Dňa 25. septembra 2024 17:09:38 UTC používateľ "Brian J. Murrell" <brian@xxxxxxxxxxxxxxx> napísal: You can consider to extend netfilter connection timeouts. >IN=ens3 OUT= MAC=[redacted] SRC=[redacted] DST=10.75.26.3 LEN=74 TOS=0x00 PREC=0x00 TTL=43 ID=3769 DF PROTO=TCP SPT=33944 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0 You have two options with TCP: + setup kernel knob to consider NEW packet without SYN as invalid and drop INVALID packets + drop NEW TCP packets without SYN by exact FW rule Both drops do before log rule... >IN=eth0.2 OUT= MAC=[redacted] SRC=[reacted, remote IP] DST=[redacted, my local IP] LEN=99 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP SPT=443 DPT=37242 LEN=79 MARK=0x3f00 A little complicated with UDP, but the same logic, drop NEW UDP packets by exact rule after accept of ESTABLISHED and open ports rules, but before log rule... For both (TCP/UDP) consider to add more conditions, as sport, ephemeral dports, etc... regards -- Slavko https://www.slavino.sk/
