IPv6 WG - Lots of "input: in:wg1 out:(unknown 0), connection-state:new proto TCP (ACK,PSH)" picked up by drop rule?

mmotti · Mon Jan 30, 2023 3:50 pm

Hi,

I've tried to merge my IPv4 firewall settings with the IPv6 default settings and I seem to be coming across packets that potentially shouldn't be dropped?

I tweaked the final "drop everything !LAN" at the end of the input chain and substituted it with a drop for all remaining traffic after manually allowing TCP/UDP 53 and UDP ff00::/8 (as I noticed multicast packets were getting blocked). I did this originally with IPv4 to restrict VLANs other than my trusted LAN from accessing any administrative areas of the router etc.

Specifically I changed:

add action=drop chain=input comment="defconf: drop everything else not coming from LAN" disabled=yes in-interface-list=!LAN

To:

add action=accept chain=input comment="Allow LAN multicast (UDP)" dst-address=ff00::/8 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries (UDP)" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop remaining traffic on the input chain" log=yes

I seem to be getting the following kinds of packets getting dropped (out unknown?!):

input: in:wg1 out:(unknown 0), connection-state:new proto TCP (ACK), [2a04:4e42:65::760]:443->WGIPv6INTERFACEADDRESS:38450, len 1380 (Facebook)
input: in:wg1 out:(unknown 0), connection-state:new proto TCP (ACK,PSH), [2a00:1450:400e:800::200a]:443->WGIPv6INTERFACEADDRESS:48694, len 105 (Google)

I'm a little confused as to what these are, but is there a way that I could or should adjust the firewall rules to allow these through if necessary? If the "IN" interface is WG1, it's also not part of my "LAN" interface list so I imagine it would have had the same result with the default rule.

Firewall Rules

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input comment="Allow full access to the LAN input chain from trusted LANs" in-interface-list=LAN_TRUSTED
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=input comment="Allow LAN multicast (UDP)" dst-address=ff00::/8 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries (UDP)" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop remaining traffic on the input chain" log=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="VPN Safety Net" in-interface-list=WG_VPN_Provider_Clients out-interface-list=WAN
add action=accept chain=forward comment="Allow trusted LAN to forward to all interface lists" in-interface-list=LAN_TRUSTED out-interface-list=all
add action=accept chain=forward comment="Allow untrusted LAN to forward only to WAN" in-interface-list=LAN_UNTRUSTED out-interface-list=WAN
add action=accept chain=forward comment="Allow specific clients through the WG provider tunnels" in-interface-list=WG_VPN_Provider_Clients \
    out-interface-list=WG_WAN
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" disabled=yes in-interface-list=!LAN
add action=drop chain=forward comment="Drop remaining traffic on the forward chain"
/ipv6 firewall nat
add action=masquerade chain=srcnat out-interface-list=WG_WAN

mkx · Mon Jan 30, 2023 4:07 pm

I seem to be getting the following kinds of packets getting dropped (out unknown?!):

input: in:wg1 out:(unknown 0), connection-state:new proto TCP (ACK), [2a04:4e42:65::760]:443->WGIPv6INTERFACEADDRESS:38450, len 1380 (Facebook)
input: in:wg1 out:(unknown 0), connection-state:new proto TCP (ACK,PSH), [2a00:1450:400e:800::200a]:443->WGIPv6INTERFACEADDRESS:48694, len 105 (Google)

Linux kernel connection tracking (upon which MT builds) is not perfect. For example it's known that it declares a connection (in own connection table) as finished aupon receiving first TCP flag closing it (RST or FIN) ... but most TCP implementations (linux kernel included) may send such "ending" packets multiple times. So subsequent packets will always be recognised as "new" and invalid (due to invalid combination of flags) and then treated as such ... instead of having a timer (linux kernel has it for own TCP connections ... connection has state "fin wait" or "fin2 wait") so that it would recognize those packets as belonging to known (although dying) connection.

Another possibility is that something is probing your firewall ...

In any case, it's quite normal to see some amount of dropped packets (due to firewall rules) for various reasons. Unless you're debugging some connectivity problems or intrusion attempts, logging dropped packets/connections is useless.

IPv6 WG - Lots of "input: in:wg1 out:(unknown 0), connection-state:new proto TCP (ACK,PSH)" picked up by drop rule? [SOLVED]

IPv6 WG - Lots of "input: in:wg1 out:(unknown 0), connection-state:new proto TCP (ACK,PSH)" picked up by drop rule?

Re: IPv6 WG - Lots of "input: in:wg1 out:(unknown 0), connection-state:new proto TCP (ACK,PSH)" picked up by drop rule? [SOLVED]

Who is online