orphan packets with ownership are not silently dropped

[jgmbenoit]

When we fine tune a rule with user , the FIREHOL_DROP_ORPHAN_TCP_ setups have no effect since ownerships are not taking into account. Is there any easy work around ?

[Elkropac]

Hi, can you please provide more info?
I have some firehol rules to allow specific UID go to specific IP and PORT.
It is logged like this:

Feb  9 11:27:28 vps1 kernel: [134646.090060] ACCEPT user output:IN= OUT=eth0 SRC=x.x.x.x DST=y.y.y.y LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=48694 DF PROTO=TCP SPT=52932 DPT=9543 WINDOW=502 RES=0x00 ACK URGP=0 UID=400013 GID=400013 

Sometimes i see lots of this messages

Feb  9 11:27:28 vps1 kernel: [134646.220985] DROP UNMATCHED OUT-wan:IN= OUT=eth0 SRC=x.x.x.x DST=y.y.y.y LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=52932 DPT=9543 WINDOW=0 RES=0x00 RST URGP=0 

Customer complains, they cannot communicate with their allowed IP/port.

Recently we upgraded to debian 11, so firehol updated from 3.1.6 to 3.1.7 .

But i don't think, this is related. I found this messages in logs before upgrade