diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index b3bada848..c5714802c 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,3 +1,5 @@ Changes since 1.4.5 1) Worked around RH7.3 "service" anomaly. + +2) Implemented 'newnotsyn' interface option. diff --git a/Shorewall/firewall b/Shorewall/firewall index 06a0a0575..08ad24239 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -607,7 +607,7 @@ validate_interfaces_file() { for option in $options; do case $option in - dhcp|norfc1918|tcpflags) + dhcp|norfc1918|tcpflags|newnotsyn) ;; routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-) ;; @@ -3306,7 +3306,13 @@ initialize_netfilter () { if [ -z "$NEWNOTSYN" ]; then createchain newnotsyn no + + for interface in `find_interfaces_by_option newnotsyn`; do + run_iptables -A newnotsyn -i $interface -j RETURN + done + run_user_exit newnotsyn + if [ -n "$LOGNEWNOTSYN" ]; then log_rule $LOGNEWNOTSYN newnotsyn DROP fi diff --git a/Shorewall/interfaces b/Shorewall/interfaces index cfc0e2b0e..bb25bd6d2 100644 --- a/Shorewall/interfaces +++ b/Shorewall/interfaces @@ -89,6 +89,13 @@ # sub-networking as described at: # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet # +# newnotsyn - TCP packets that don't have the SYN +# flag set and which are not part of an +# established connection will be accepted +# from this interface, even if +# NEWNOTSYN=No has been specified in +# /etc/shorewall/shorewall.conf. +# # The order in which you list the options is not # significant but the list should have no embedded white # space. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 37569d451..29ff7bd46 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -8,3 +8,6 @@ Problems Corrected: New Features: +1) A 'newnotsyn' interface option has been added. This option may be + specified in /etc/shorewall/interfaces and overrides the setting + NEWNOTSYN=No for packets arriving on the associated interface.