[CS-FSLUG] Firewall fights

[Tim Young]

Ed Hurst wrote:

>Ignoring it is fine, but how do I tell my firewall to quit logging that 
>so I can concentrate on detecting genuine threats? I realize you may not 
>have a simple concrete answer for that. I'm not going to be modifying a 
>Linux kernel, so that's out.
>
>Anyway, thanks for the explanation.
>
>  
>
An easy solution would be to realize that it treats that single packet 
as a new communication. If the firewall does not block it, the kernel 
will elsewhere. So the simplest thing to do will be to construct an 
ip-tables rule that will match a SYN-RST packet and "allow" that. 
Basically, it will be allowed by the firewall, but the kernel will 
decide not to route it and it will vanish that way. You don't get 
anything blocked, and so it is not logged. ;)

Or, instead of "allowing" that packet, you can "drop" it. Dropped 
packets are not logged by default, your firewall creating script has an 
extra IPTables entry to do the logging. So if you drop the packet 
yourself, before the firewall tool does it's logging, then you do the 
same thing as by allowing it, except you do not open up a partial hole 
in your firewall.

- Tim Young