Block Big Brother

[knc1]

This thread is a continuation of managing the Kindle firewall at:
https://www.mobileread.com/forums/sho...d.php?t=205068

This thread is also based on materials in the following threads:

• ssh/scp setup with connection details by nickname and the banner removed from dropbear: https://www.mobileread.com/forums/sho...d.php?t=204942
• Basics of iptables: https://www.mobileread.com/forums/sho...d.php?t=204676
• USBnetwork package installation under the KUAL launcher: https://www.mobileread.com/forums/sho...d.php?t=204450
• Kpw-5.3.1 -> Kpw-5.3.3 update and installation of the KUAL launcher: https://www.mobileread.com/forums/sho...&postcount=192
• Thread on the (K3 old and Kpw new) address ranges to block, see: https://www.mobileread.com/forums/sho...d.php?t=200475

References:
The *nix command crib-sheet linked to from this thread: https://www.mobileread.com/forums/sho...d.php?t=204534
NOTE: The version of those commands provided by Busybox on the Kindle usually only have a limited sub-set of the command features described in the crib-sheet.
iptables report reading: https://www.mobileread.com/forums/sho...d.php?t=204676
Amazon-net-13039: https://www.mobileread.com/forums/sho...35&postcount=5
Packet flow chart and iptables tutoral: http://www.frozentux.net/iptables-tu...ERSINGOFTABLES

Release posts:
bbb-13038: Bottom of this post.
bbb-13039: https://www.mobileread.com/forums/sho...60&postcount=6
bbb-13040: https://www.mobileread.com/forums/sho...1&postcount=13
bbb-13042: https://www.mobileread.com/forums/sho...3&postcount=24

Public Repository:
http://hg.minimodding.com/repos/sys/kBBB.hg/

Conditions:
In the prior thread on the basics of ssh/scp on the Kindle, you learned how to remove the banner and do remote exectuted programs via ssh.
In the prior thread on the Linux firewall tables, you found there are no restrictions on the USB0 interface. Your also read about the restrictions present on packets originating on the wlan0 (and 3G) interfaces.

You made note of the sequence required to start/stop USBnetwork, from the spoiler in the USBnetworking thread, which is repeated in the spoiler here:

Spoiler:

Quote:

This order should work on all firmware versions.
Early firmwares, v-2 and v-3 may also work with the cable attached.

• un-plug cable (if still plugged in)
• toggle USBnetwork ON in launcher
• plug the cable
• kill any automation (or configure yours to do: )
• sudo ip link set up dev usb0 (It may already be up)
• sudo ip address add 192.168.15.201 peer 192.168.15.244 dev usb0
• use the networking until your done (telnet ken1 OR ssh kpw)
• un-plug cable
• toggle USBnetwork OFF in launcher

You may or may not have configured your network automation to automatically bring up the link and set the point-to-point address that you are using on your host PC.
There are a number of network automation things used by the various Linux distributions, refer to your distribution information on how to set up yours (not here, your distro's help forum).
Windows and MacOSx also have provisions for automating the host connection setup.

Crank-up your USB networked Kindle (a Kpw-5.3.3 used here) and be sure things are still working the way we left them (connection details by nickname, no banner from dropbear):

Code:

core2quad ~ $ ssh kpw
#################################################
#  N O T I C E  *  N O T I C E  *  N O T I C E  # 
#################################################
Rootfs is mounted read-only. Invoke mntroot rw to
switch back to a writable rootfs.
#################################################
[root@kindle root]#

It LIVES!
You can leave that connection up for your own exploring during the rest of this post.

Someday, the BBB extension may have buttons, but for now, do this manually.
Even worse than that, doing it manually reveals some software bugs in the Amazon build of the iptables* utilities.
So what follows is not the way I would choose to do this, if I had a choice.

Create a home for the BBB extension iptable script(s) and the modified iptables rule-sets(s):

Code:

core2quad ~ $ ssh kpw "mkdir -p /mnt/us/extensions/bbb/config.d"
core2quad ~ $ ssh kpw "mkdir -p /mnt/us/extensions/bbb/frags"
core2quad ~ $ ssh kpw "ls -l /mnt/us/extensions/bbb"
drwxr-xr-x    2 root     root          8192 Feb  7 15:39 config.d
drwxr-xr-x    2 root     root          8192 Feb  7 15:40 frags

Move the added-BBB iptable file and the del-BBB script to their respective homes:

Code:

core2quad usb-0.7.N $ scp added-bbb-13038.txt kpw:/mnt/us/extensions/bbb/frags
added-bbb-13038.txt                           100% 1210     1.2KB/s   00:00    

core2quad usb-0.7.N $ scp del-bbb-13038.sh kpw:/mnt/us/extensions/bbb/config.d
del-bbb-13038.sh                              100%  741     0.7KB/s   00:00

The number in the names is: YYDDD of the file creation (version as it where).

Now run the iptables-restore utility on the Kindle to install the modified table rule-set:

Code:

core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables-restore < /mnt/us/extensions/bbb/frags/added-bbb-13038.txt"

Check our work, see what the output chain rules are now:

Code:

core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL OUTPUT"
Chain OUTPUT (policy ACCEPT 45 packets, 6024 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    8   696 ACCEPT     all  --  *      lo      0.0.0.0/0            127.0.0.1           
    0     0 DROP       all  --  *      *       0.0.0.0/0            23.20.0.0/14        
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.0.0/12       
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.128.0/18     
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.208.0.0/16       
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.209.0.0/17       
    0     0 DROP       all  --  *      *       0.0.0.0/0            72.21.192.0/19      
    0     0 DROP       all  --  *      *       0.0.0.0/0            176.32.96.0/21      
    0     0 DROP       all  --  *      *       0.0.0.0/0            178.236.0.0/21      
    0     0 DROP       all  --  *      *       0.0.0.0/0            205.251.192.0/18    
    0     0 DROP       all  --  *      *       0.0.0.0/0            207.171.160.0/19

Now disable "airplane mode" and enable WiFi.
You don't need to do anything else, other than connect to Wifi, any Wifi.
Wait a few moments, and re-check the counters on the output chain again:

Code:

core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL OUTPUT"
Chain OUTPUT (policy ACCEPT 186 packets, 20334 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    8   696 ACCEPT     all  --  *      lo      0.0.0.0/0            127.0.0.1           
   73 11972 DROP       all  --  *      *       0.0.0.0/0            23.20.0.0/14        
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.0.0/12       
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.128.0/18     
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.208.0.0/16       
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.209.0.0/17       
    8   544 DROP       all  --  *      *       0.0.0.0/0            72.21.192.0/19      
   12   720 DROP       all  --  *      *       0.0.0.0/0            176.32.96.0/21      
    6   360 DROP       all  --  *      *       0.0.0.0/0            178.236.0.0/21      
    4   304 DROP       all  --  *      *       0.0.0.0/0            205.251.192.0/18    
    0     0 DROP       all  --  *      *       0.0.0.0/0            207.171.160.0/19

Poor Chatty Kathy - she can't talk to Mama Amazon any longer.
If you open the 'store' now, after a long, long, long wait you should get a "We applogize, but something went wrong ..." message.
Yeah, buddy, and it is going to keep right on "going wrong".

BIG NOTE: This is the Kindle Paperwhite version 5.3.3 with the table from the 5.3.1 firmware!
Different version of the firmware may use different Amazon Cloud access addresses!

AN EVEN BIGGER NOTE: You must re-load the modified table **after** any system re-boot!

A little note: If you get the urge to hack the modified table on your own, your "recovery process" is to re-boot the Kindle. That will re-install the stock iptables rule-set.

To remove the "Big Brother Block" (BBB) :

Code:

core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; /mnt/us/extensions/bbb/config.d/del-bbb-13038.sh"

Verify that the rules are gone now:

Code:

core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL OUTPUT"
Chain OUTPUT (policy ACCEPT 631 packets, 53736 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    8   696 ACCEPT     all  --  *      lo      0.0.0.0/0            127.0.0.1

Due to the technical difficulties with the build of the iptables-* utilities shipped by Amazon, the BBB addition has to be hand merged with the output report of the iptables-save command.
The file at /etc/sysconfig/iptables is an Amazon copyrighted document, we can't post or redistribute that file.

But the output of the iptables-save command is a "data report" generated (and owned) by yourself.
People who would like to see a BBB table for their Kindle model and Model's firmware version should post their output report(s) in this thread.

There is a kWall extension in the works, but there is no time-table set for when it might be completed.
This work-around is all that I can offer right now.

Current release at: https://www.mobileread.com/forums/sho...3&postcount=24

[twobob]

BR2_PACKAGE_IPTABLES:

Linux kernel (2.4+) firewall, NAT, and packet mangling tools.

http://www.iptables.org/
License Details: http://www.iptables.org/licensing.html GPL 2.0

built for compliance using the Code Sourcery 2007 q3 ToolChain (flags by Niluje et al)
Standard Buildroot Source Code for the era of this post. See BR GIT Commits for that

[root@kindle root]# LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/mnt/us/usr/lib /mnt/us/usr/sbin/iptables --help

Spoiler:

Quote:

iptables v1.4.16.3

Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)

Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --proto -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.

Should be good for the job. On all kindles K2 and newer...
I overkilled on the so naming redundancy as I believe is your preference.
If I missed out any essential "etc" stuff let me know. I ditched the man pages and such.

Enjoy.

EDIT: Rudimentary tests like --list work fine...

EDIT: Added iproute2 from https://www.mobileread.com/forums/sho...d.php?t=204385

[knc1]

Quote:

Originally Posted by twobob

BR2_PACKAGE_IPTABLES:

Linux kernel (2.4+) firewall, NAT, and packet mangling tools.

http://www.iptables.org/

built for compliance using the 2007 q3 TC

[root@kindle root]# LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/mnt/us/usr/lib /mnt/us/usr/sbin/iptables --help


Should be good for the job. On all kindles K2 and newer...
I overkilled on the so naming redundancy as I believe is your preference.
If I missed out any essential "etc" stuff let me know. I ditched the man pages and such.

Enjoy.

EDIT: Rudimentary tests like --list work fine...

Thanks for that.

Been giving some more thought about the kWall package (to be) while giving my Kpw its first access to a public (non-AT&T) hotspot.

Whoot! I get to post the first "end-user report" (see below).

I suppose we should chat a bit more about kWall, later - like: "After Work".

[knc1]

Kpw-5.3.3 with BBB installed, at a public, non-AT&T (free) WiFi hotspot.

Some of the blocked ranges are not being hit.
This is expected behavior. bbb-13038 has both USA and UK cloud access ranges blocked.

The end-user experience could be a bit better - might have a go at using the REJECT (code) target rather than DROP.
At least then the foolish lab126 software might at least give up in less than 5 minutes or so.

Non-Amazon DNS is not being used. Need to fix that.

ICMP filter is allowing routing messages. Need to fix that.

For development purposes, adding some pcap format logging to what is being dropped (or rejected) might give a better idea of what the device is attempting to do.

There seems to be a "limit counter" in the system, which only allows a limited number of non-Amazon Wifi connections to fail trying to "call home" - and then it forces you to select a different network.
What is quite possible the "limit counter" is being displayed on the 711 page.

Need to find and fix that if possible.

Also, a bit of "mangle" table diddling of packet fields may be in order - further research required on that subject.
In particular, diddling the SECMARK and CONNSECMARK fields a bit (no pun intended).

Chatty Kathy with the gag on:

Code:

core2quad ~ $ ssh kpw "PATH=$PATH ; iptables -vnL OUTPUT"
Chain OUTPUT (policy ACCEPT 959 packets, 70802 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  506  109K ACCEPT     all  --  *      lo      0.0.0.0/0            127.0.0.1           
  747  123K DROP       all  --  *      *       0.0.0.0/0            23.20.0.0/14        
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.0.0/12       
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.128.0/18     
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.208.0.0/16       
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.209.0.0/17       
   66  4008 DROP       all  --  *      *       0.0.0.0/0            72.21.192.0/19      
   48  2880 DROP       all  --  *      *       0.0.0.0/0            176.32.96.0/21      
    0     0 DROP       all  --  *      *       0.0.0.0/0            178.236.0.0/21      
   28  1808 DROP       all  --  *      *       0.0.0.0/0            205.251.192.0/18    
   24  1440 DROP       all  --  *      *       0.0.0.0/0            207.171.160.0/19

[knc1]

This information also included in the 13039 BBB release archives.

All information based on public registration data as of: Feb. 8, 2013.

K3: 23.0.0.0/12
NetRange: 23.20.0.0 - 23.23.255.255
CIDR: 23.20.0.0/14
OriginAS: AS16509
NetName: AMAZON-EC2-USEAST-10
RegDate: 2011-09-19
Updated: 2012-03-02
OrgName: Amazon.com, Inc.
OrgId: AMAZO-4

K3: 50.16.0.0/14
NetRange: 50.16.0.0 - 50.19.255.255
CIDR: 50.16.0.0/14
OriginAS:
NetName: AMAZON-EC2-8
RegDate: 2010-10-07
Updated: 2012-03-02
OrgName: Amazon.com, Inc.
OrgId: AMAZO-4

K3: 72.21.192.0/19
NetRange: 72.21.192.0 - 72.21.223.255
CIDR: 72.21.192.0/19
OriginAS:
NetName: AMAZON-02
RegDate: 2004-12-30
Updated: 2012-03-02
OrgName: Amazon.com, Inc.
OrgId: AMAZON-4

K3: 107.20.0.0/14
NetRange: 107.20.0.0 - 107.23.255.255
CIDR: 107.20.0.0/14
OriginAS:
NetName: AMAZON-EC2-8
RegDate: 2011-05-03
Updated: 2012-03-02
OrgName: Amazon.com, Inc.
OrgId: AMAZO-4

K3: 184.72.0.0/15
NetRange: 184.72.0.0 - 184.73.255.255
CIDR: 184.72.0.0/15
OriginAS:
NetName: AMAZON-EC2-7
RegDate: 2010-01-26
Updated: 2012-03-02
OrgName: Amazon.com, Inc.
OrgId: AMAZO-4

K3: 204.246.160.0/19
NetRange: 204.246.160.0 - 204.246.191.255
CIDR: 204.246.160.0/19
OriginAS: AS7224, AS16509, AS39111
NetName: AMAZON-04
RegDate: 2009-07-17
Updated: 2012-03-02
OrgName: Amazon.com, Inc.
OrgId: AMAZON-4

K3: 205.251.192.0/18
NetRange: 205.251.192.0 - 205.251.255.255
CIDR: 205.251.192.0/18
OriginAS: AS7224, AS16509, AS39111
NetName: AMAZON-05
RegDate: 2010-08-27
Updated: 2012-03-02
OrgName: Amazon.com, Inc.
OrgId: AMAZON-4

K3: 207.171.160.0/19
NetRange: 207.171.160.0 - 207.171.191.255
CIDR: 207.171.160.0/19
OriginAS: AS16509
NetName: AMAZON-01
RegDate: 1999-09-23
Updated: 2012-03-02
OrgName: Amazon.com, Inc.
OrgId: AMAZON-4

Kpw: 23.20.0.0/14
NetRange: 23.20.0.0 - 23.23.255.255
CIDR: 23.20.0.0/14
OriginAS: AS16509
NetName: AMAZON-EC2-USEAST-10
RegDate: 2011-09-19
Updated: 2012-03-02
OrgName: Amazon.com, Inc.
OrgId: AMAZO-4

Kpw: 54.240.0.0/12
Kpw: 54.240.128.0/18 ** If wanting to screen the sub-net **
Amazon Technologies Inc. AMAZON-2011L (NET-54-240-0-0-1) 54.240.0.0 - 54.255.255.255
Amazon Web Services, LLC AWSEMAIL-Z (NET-54-240-0-0-2) 54.240.0.0 - 54.240.63.255

Kpw: 64.208.0.0/16
Kpw: 64.209.0.0/17
NetRange: 64.208.0.0 - 64.209.127.255
CIDR: 64.208.0.0/16, 64.209.0.0/17
OriginAS: AS3549
RegDate: 2000-03-15
Updated: 2012-03-02
OrgName: Level 3 Communications, Inc.
OrgId: LVLT

Kpw: 72.21.192.0/19
NetRange: 72.21.192.0 - 72.21.223.255
CIDR: 72.21.192.0/19
OriginAS:
NetName: AMAZON-02
RegDate: 2004-12-30
Updated: 2012-03-02
OrgName: Amazon.com, Inc.
OrgId: AMAZON-4

Kpw: 176.32.96.0/21
inetnum: 176.32.96.0 - 176.32.103.255
netname: amazon-EU-IAD-PROD
descr: PROD IAD
country: NL

Kpw: 178.236.0.0/21
inetnum: 178.236.0.0 - 178.236.7.255
netname: IE-AMAZON
descr: Amazon Data Services Ireland
country: IE

Kpw: 205.251.192.0/18
NetRange: 205.251.192.0 - 205.251.255.255
CIDR: 205.251.192.0/18
OriginAS: AS7224, AS16509, AS39111
NetName: AMAZON-05
RegDate: 2010-08-27
Updated: 2012-03-02
OrgName: Amazon.com, Inc.
OrgId: AMAZON-4

Kpw: 207.171.160.0/19
NetRange: 207.171.160.0 - 207.171.191.255
CIDR: 207.171.160.0/19
OriginAS: AS16509
NetName: AMAZON-01
RegDate: 1999-09-23
Updated: 2012-03-02
OrgName: Amazon.com, Inc.
OrgId: AMAZON-4

[knc1]

Installation and verification of BBB, issue 13039

• Should be sufficently complete now to use on all Kindle models.
• Only tested on: K3 and Kpw firmwares, so it might miss something used by other models.
• Updated to include all currently known Amazon (and associates) IP address ranges.
• Known registration information file now included in the released archives.
• Since technical difficulties force restoring only a complete table, this one is a lot closer to a real-life firewall.

Install the rule-set and matching BBB delete script:

Code:

core2quad usb-0.7.N $ scp added-bbb-13039.txt kpw:/mnt/us/extensions/bbb/frags
added-bbb-13039.txt                              100% 2234     2.2KB/s   00:00
 
core2quad usb-0.7.N $ scp del-bbb-13039.sh kpw:/mnt/us/extensions/bbb/config.d
del-bbb-13039.sh                                 100% 1155     1.1KB/s   00:00    

core2quad usb-0.7.N $ ssh kpw "ls -l /mnt/us/extensions/bbb/*"
/mnt/us/extensions/bbb/config.d:
-rwxr-xr-x    1 root     root           741 Feb  7 15:57 del-bbb-13038.sh
-rwxr-xr-x    1 root     root          1155 Feb  8 18:07 del-bbb-13039.sh

/mnt/us/extensions/bbb/frags:
-rwxr-xr-x    1 root     root          1210 Feb  7 16:33 added-bbb-13038.txt
-rwxr-xr-x    1 root     root          2234 Feb  8 18:07 added-bbb-13039.txt

Re-load the kernel's firewall tables:

Code:

core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables-restore < /mnt/us/extensions/bbb/frags/added-bbb-13039.txt"

Crank up your Wifi (or 3G - untested) play around a bit, and ...
The current firewall should now look like this:

Code:

core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL"
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   62 12125 ACCEPT     all  --  usb0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       127.0.0.0/8          0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    3   252 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 0 
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
  103 50939 ACCEPT     udp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
    2   624 DROP       udp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
    1    28 DROP       all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp spt:40317 
    0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp spt:49317 
    0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp spt:33434 
    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:40317 
    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
    0     0 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 108 packets, 6809 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            127.0.0.0/8         
   69 17026 ACCEPT     all  --  *      usb0    0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            23.0.0.0/12         
   87 14268 DROP       all  --  *      *       0.0.0.0/0            23.20.0.0/14        
    0     0 DROP       all  --  *      *       0.0.0.0/0            50.16.0.0/14        
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.128.0/18     
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.0.0/12       
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.208.0.0/16       
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.209.0.0/17       
   14   904 DROP       all  --  *      *       0.0.0.0/0            72.21.192.0/19      
    0     0 DROP       all  --  *      *       0.0.0.0/0            107.20.0.0/14       
    6   360 DROP       all  --  *      *       0.0.0.0/0            176.32.96.0/21      
    0     0 DROP       all  --  *      *       0.0.0.0/0            178.236.0.0/21      
    0     0 DROP       all  --  *      *       0.0.0.0/0            184.72.0.0/15       
    0     0 DROP       all  --  *      *       0.0.0.0/0            204.246.160.0/19    
    4   304 DROP       all  --  *      *       0.0.0.0/0            205.251.192.0/18    
    0     0 DROP       all  --  *      *       0.0.0.0/0            207.171.160.0/19

Note the much better accounting and the removal of some lab126 screw-ups.

To remove the BBB restrictions (only the BBB output restrictions):

Code:

core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; /mnt/us/extensions/bbb/config.d/del-bbb-13039.sh"

Confirm that they are now gone:

Code:

core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL OUTPUT"
Chain OUTPUT (policy ACCEPT 261 packets, 16392 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            127.0.0.0/8         
  118 27290 ACCEPT     all  --  *      usb0    0.0.0.0/0            0.0.0.0/0

[twobob]

Given a smattering of iptables --check that could be end user friendly...

And would only require one button "TOGGLE BBB".

Thoughts on that?

[knc1]

Too late to night for checking on that, but . . . .

The following is for the case of two buttons, ON and OFF -

• Each function is a single command line.
• Each may be applied multiple times: (ON, ON, ON ...) or (OFF, OFF, OFF ...) without harm or change in behavior.
• The usability (and functionality) of the firewall now allows the user more freedom.
• Rules have to be "ordered" - this is organized so that to open a service "hole" - that rule can always be added as rule #1 in the input chain of the filter.
• Closing a service "hole" is done by removing the "exact matching" rule.
• No protection (yet) from starting multiple instances of the same service (intentional or by accident) - that will come in a later revision.

I will try to get my K3 as upto date with current customizations as I have my Kpw and test out the 3G stuff - but as of this release, it is the same functionality that was in the "stock" firewall.

[twobob]

I gave the script a read.

a single parsed existance check for a single known value in each instance would do the toggle job, no more complex that that in my mind.

single check. ready for a button. I noted a handy way of injecting info into the status bar on the touch (Eureka? I will dig it out) that may have some value on PW also. will check on other models...

[knc1]

Quote:

Originally Posted by twobob

I gave the script a read.

a single parsed existance check for a single known value in each instance would do the toggle job, no more complex that that in my mind.

single check. ready for a button. I noted a handy way of injecting info into the status bar on the touch (Eureka? I will dig it out) that may have some value on PW also. will check on other models...

The firewall rule-set is in USB-storage -
If the end-user wants to **not** block something I choose to block, all they have to do is put a # in front of the line.

Ah, the *.txt rule-sets supports comments - and I put some in this most recent one - just look at the add-bbb-13039.txt rule-set.

[knc1]

Quote:

Originally Posted by twobob

Given a smattering of iptables --check that could be end user friendly...

And would only require one button "TOGGLE BBB".

Thoughts on that?

I am hoping we can get the "button label feedback" we have discussed by the time I get kWall written - that will cut the number of all buttons required in half, me and every other helper.

[knc1]

Without any reports or feedback - I had to use kTerm during my "public hotspot" testing today. . . .

I was smirking a bit at the other fools in-range trying to get into my e-book.
Nobody was expecting an e-book with an industrial strength firewall.

I don't know if it is POI ready - Finch is pretty smart.

[knc1]

After three re-visions, everyone should know the manual "install" process by now:

Code:

core2quad usb-0.7.N $ scp added-bbb-13040.txt kpw:/mnt/us/extensions/bbb/frags
added-bbb-13040.txt                              100% 2474     2.4KB/s   00:00    

core2quad usb-0.7.N $ scp del-bbb-13040.sh kpw:/mnt/us/extensions/bbb/config.d
del-bbb-13040.sh                                 100% 1506     1.5KB/s   00:00    

core2quad usb-0.7.N $ ssh kpw "ls -l /mnt/us/extensions/bbb/*"
/mnt/us/extensions/bbb/config.d:
-rwxr-xr-x    1 root     root           741 Feb  7 15:57 del-bbb-13038.sh
-rwxr-xr-x    1 root     root          1125 Feb  8 18:20 del-bbb-13039.sh
-rwxr-xr-x    1 root     root          1506 Feb  9 09:38 del-bbb-13040.sh

/mnt/us/extensions/bbb/frags:
-rwxr-xr-x    1 root     root          1210 Feb  7 16:33 added-bbb-13038.txt
-rwxr-xr-x    1 root     root          2236 Feb  8 18:29 added-bbb-13039.txt
-rwxr-xr-x    1 root     root          2474 Feb  9 09:38 added-bbb-13040.txt

Now run the firewall rules restore utility with our custom rule-set as input:

Code:

core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables-restore < /mnt/us/extensions/bbb/frags/added-bbb-13040.txt"

Doing a full restore of the kernel's tables zeros the counters:

Code:

core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL"
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   21  4059 ACCEPT     all  --  usb0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       127.0.0.0/8          0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
    0     0 DROP       udp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp spt:40317 
    0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp spt:49317 
    0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp spt:33434 
    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:40317 
    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
    0     0 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            127.0.0.0/8         
    0     0 DROP       all  --  *      *       0.0.0.0/0            23.0.0.0/12         
    0     0 DROP       all  --  *      *       0.0.0.0/0            23.20.0.0/14        
    0     0 DROP       all  --  *      *       0.0.0.0/0            50.16.0.0/14        
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.128.0/18     
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.0.0/12       
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.208.0.0/16       
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.209.0.0/17       
    0     0 DROP       all  --  *      *       0.0.0.0/0            72.21.192.0/19      
    0     0 DROP       all  --  *      *       0.0.0.0/0            107.20.0.0/14       
    0     0 DROP       all  --  *      *       0.0.0.0/0            176.32.96.0/21      
    0     0 DROP       all  --  *      *       0.0.0.0/0            178.236.0.0/21      
    0     0 DROP       all  --  *      *       0.0.0.0/0            184.72.0.0/15       
    0     0 DROP       all  --  *      *       0.0.0.0/0            204.246.160.0/19    
    0     0 DROP       all  --  *      *       0.0.0.0/0            205.251.192.0/18    
    0     0 DROP       all  --  *      *       0.0.0.0/0            207.171.160.0/19    
   21  2910 ACCEPT     all  --  *      usb0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Disable airplane mode, Select own Wifi AP, tap 'home' and:

Code:

core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL"
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   44  8222 ACCEPT     all  --  usb0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       127.0.0.0/8          0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
   16  6620 ACCEPT     udp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
    2   624 DROP       udp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp spt:40317 
    0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp spt:49317 
    0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp spt:33434 
    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:40317 
    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
    0     0 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            127.0.0.0/8         
    0     0 DROP       all  --  *      *       0.0.0.0/0            23.0.0.0/12         
    7  1148 DROP       all  --  *      *       0.0.0.0/0            23.20.0.0/14        
    0     0 DROP       all  --  *      *       0.0.0.0/0            50.16.0.0/14        
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.128.0/18     
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.0.0/12       
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.208.0.0/16       
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.209.0.0/17       
    8   512 DROP       all  --  *      *       0.0.0.0/0            72.21.192.0/19      
    0     0 DROP       all  --  *      *       0.0.0.0/0            107.20.0.0/14       
    0     0 DROP       all  --  *      *       0.0.0.0/0            176.32.96.0/21      
    0     0 DROP       all  --  *      *       0.0.0.0/0            178.236.0.0/21      
    0     0 DROP       all  --  *      *       0.0.0.0/0            184.72.0.0/15       
    0     0 DROP       all  --  *      *       0.0.0.0/0            204.246.160.0/19    
    2   152 DROP       all  --  *      *       0.0.0.0/0            205.251.192.0/18    
    0     0 DROP       all  --  *      *       0.0.0.0/0            207.171.160.0/19    
   46 10308 ACCEPT     all  --  *      usb0    0.0.0.0/0            0.0.0.0/0           
   16  1070 ACCEPT     all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Just for those who might think that Kindles do not call home.

After a short "Public Wifi HotSpot" visit (three carriers available, including AT&T).
None of which Chatty Kathy can successfully connect too (connects to home Wifi just fine);

Code:

core2quad ~ $ ssh kpw "PATH=$PATH ; iptables -vnL"
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   67 12937 ACCEPT     all  --  usb0   *       0.0.0.0/0            0.0.0.0/0           
  180 40362 ACCEPT     all  --  lo     *       127.0.0.0/8          0.0.0.0/0           
    1    48 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
  320  162K ACCEPT     udp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
    6  1992 DROP       udp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
    3    84 DROP       all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp spt:40317 
    0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp spt:49317 
    0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp spt:33434 
    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:40317 
    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
    0     0 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  180 40362 ACCEPT     all  --  *      lo      0.0.0.0/0            127.0.0.0/8         
    0     0 DROP       all  --  *      *       0.0.0.0/0            23.0.0.0/12         
  295 48380 DROP       all  --  *      *       0.0.0.0/0            23.20.0.0/14        
    0     0 DROP       all  --  *      *       0.0.0.0/0            50.16.0.0/14        
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.128.0/18     
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.0.0/12       
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.208.0.0/16       
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.209.0.0/17       
   18  1144 DROP       all  --  *      *       0.0.0.0/0            72.21.192.0/19      
    0     0 DROP       all  --  *      *       0.0.0.0/0            107.20.0.0/14       
   19  1120 DROP       all  --  *      *       0.0.0.0/0            176.32.96.0/21      
    0     0 DROP       all  --  *      *       0.0.0.0/0            178.236.0.0/21      
    0     0 DROP       all  --  *      *       0.0.0.0/0            184.72.0.0/15       
    0     0 DROP       all  --  *      *       0.0.0.0/0            204.246.160.0/19    
    4   304 DROP       all  --  *      *       0.0.0.0/0            205.251.192.0/18    
    8   480 DROP       all  --  *      *       0.0.0.0/0            207.171.160.0/19    
   71 17714 ACCEPT     all  --  *      usb0    0.0.0.0/0            0.0.0.0/0           
  330 20591 ACCEPT     all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Which shows a number of significant differences, from the home Wifi (successful) connection attempt.

On the input chain:

Code:

    3    84 DROP       all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0

Those three packets are not (or where not identified as) icmp, tcp, or udp packets because prior rules dealt with those cases.

On the output chain BBB filter:

Code:

   19  1120 DROP       all  --  *      *       0.0.0.0/0            176.32.96.0/21      
    8   480 DROP       all  --  *      *       0.0.0.0/0            207.171.160.0/19

Without doing packet capture, I can only guess but I suspect that Chatty Kathy needs authorization from Amazon to use the Amazon Wifi account, and she can't get it. (Too bad or TS)

Also, local host (lo) is in heavy use. Which may or may not be related.

Removing the BBB filter:

Code:

ssh kpw "PATH=$PATH ; /mnt/us/extensions/bbb/config.d/del-bbb-13040.sh"

Expect a brand new document to pop up on your screen. That is a log of any errors encountered.
To see an example, just try removing the BBB filter twice in a row.
A "long touch" (on the Kpw) will bring up a dialog box that allows you to delete the file.

Now confirm that the BBB filter is gone:

Code:

core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL OUTPUT"

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  384 61548 ACCEPT     all  --  *      lo      0.0.0.0/0            127.0.0.0/8         
  781  115K ACCEPT     all  --  *      usb0    0.0.0.0/0            0.0.0.0/0           
  330 20591 ACCEPT     all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

[twobob]

re parsing

[knc1]

Quote:

Originally Posted by twobob

re parsing ;)

Are you meaning that: iptables --check that was posted above?

It is there with that design, or at least all that is practical to include.

At the top of each chain are two counters ;
If the chain rules are intended to account for everything, then they should always be zero:zero.

Notice that the OUTPUT chain counters are not zero:zero
Which means the "audit" counts on each rule do not total up to the number of packets:bytes that entered the chain (the top count is the number un-accounted for.)

Which means that top count of packets and bytes where handled by the "default" policy of the chain - in this case "drop".
Which is not necessarily "wrong" - just not included in the itemized counts.

There are (well "was supposed to be") a total accounting of all traffic by interface:protocol that was expected on the network.

Which is in each case followed by a "catch-all" counter of that which wasn't expected.
To "check" the rule-set, duplicate that final "catch-all" rule with the exception of the target, instead, use the non-terminating target of "log".

And then, the order matters.
**That** is very hard to "check" other than by eye.
Plus, it depends on the routing rules in place when the packet hit the firewall.
See the pretty packet-flow chart in the linked off-site reference.

The "mis-placed" rule would have allowed packets to escape the drop filter ****IF**** there had been a routing rule that allowed it.
There isn't (wasn't).
The two "missing" rules are the reason that the output chain is reporting un-audited packets.

So fixing 13039 with 13040 can wait until I have had a night's sleep.
No harm, no foul. ;)