OK. Might I suggest there might be something erroneous with the web gui? I use a standard Chrome client on OS X most of the time. Or maybe the detection needs to be adjusted, because just using the web gui isn't suppose to trigger an block, is it?
ASL wont block on a single firewall event, if you are getting shunned that means one of three things is happening:
1) invalid packet dropping is not configured (
https://www.atomicorp.com/wiki/index.ph ... OP_INVALID)
2) somehow the firewall rules are out of order
3) the client is sending a LOT of RST packets, way way too many - which can happen is the client has a broken firewall (on the client) or a broken stack/client
4) the system isnt using the ASL kernel so it doesnt support INVALID tracking and is treating invalid packets as valid packets
The client, not the server, is sending all these packets, and ASL wont block on a single firewall event. So if you are getting a firewall shun, and if FW_DROP_INVALID is enabled then the
client is doing something really strange and its sending blind RSTs to the server. And to be honest I've never seen a client do this unless either its stack is broken, the client has a broken firewall/accelerator or the client itself is broken.
One last thing that could be happening is if you setup a custom rule to allow connections to port 30000, or your rules are somehow out of order you could end up with a case where INVALID checks dont occur on port 30000. The order of your rules should look like this:
iptables -L -n
Chain INPUT (policy ACCEPT)
First block are the active response rules:
ASL-ACTIVE-RESPONSE all -- 1.2.3.4 0.0.0.0/0
Then geoblocking:
ASL-GEO-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
Then the blacklists:
ASL-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
If you have it enabled, small packet blocking:
ASL-SMALLPACKETS ah -- 0.0.0.0/0 0.0.0.0/0 length 0:35
ASL-SMALLPACKETS esp -- 0.0.0.0/0 0.0.0.0/0 length 0:49
ASL-SMALLPACKETS 47 -- 0.0.0.0/0 0.0.0.0/0 length 0:39
ASL-SMALLPACKETS 30 -- 0.0.0.0/0 0.0.0.0/0 length 0:31
ASL-SMALLPACKETS icmp -- 0.0.0.0/0 0.0.0.0/0 length 0:27
ASL-SMALLPACKETS tcp -- 0.0.0.0/0 0.0.0.0/0 length 0:39
ASL-SMALLPACKETS udp -- 0.0.0.0/0 0.0.0.0/0 length 0:27
ASL-BADPACKETS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp option=128
ASL-BADPACKETS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp option=64
Then portscans:
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x2B
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x1A
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x0A
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x0D
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x1C
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x03
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x29/0x29
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x22/0x22
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
Then, if you have it enabled, fragment dropping:
ASL-FRAGMENTS all -f 0.0.0.0/0 0.0.0.0/0
Then invalid packet dropping:
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
And now all the rules that allow traffic:
This is a special loopback rule for the ASL web console:
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:30000 state NEW
This is the tortixd ACL (if you use this, this allows you to limit the IPs that connect to the ASL web console):
ASL-TORTIXD-ACL tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:30000 state NEW
This is where you would see any of the experimental ACL rules (this is an alpha feature, dont worry if you dont see this, it means you arent experimenting)
LOCAL-0-port-ACL tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:port state NEW
And finally the main unless allowed/deny ruleset that generates the DROP_ASL_INPUT messages.
ASL-Firewall-INPUT all -- 0.0.0.0/0 0.0.0.0/0
The point being that INVALID needs to come ahead of any allowed rules, so if thats not the case on the system and an allowed rule comes before INVALID, then INVALID packets wont get dropped and will get treated as potentially malicious (if they arent valid, then they will be treated an attempt to probe the system).