From 27952f3d4b38a41b261f88c7e03c72178771d128 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Tue, 6 Aug 2002 18:45:13 +0000
Subject: [PATCH] Final 'New not SYN' implementation

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@176 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/changelog.txt    | 30 ++++++++----------------------
 Shorewall/common.def       |  7 -------
 Shorewall/firewall         | 35 +++++++++++++++++++++++++----------
 Shorewall/releasenotes.txt | 11 +++--------
 Shorewall/shorewall        |  1 +
 Shorewall/shorewall.conf   | 13 +++++++++++++
 6 files changed, 50 insertions(+), 47 deletions(-)

diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 005f28123..cbd7403b1 100755
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,29 +1,15 @@
-Changes since 1.3.4
+Changes since 1.3.5
 
-1. Empty source and destination qualifiers are now detected in the
-   rules file.
+1. REDIRECT rules are now working again.
 
-2. Added MERGE_HOSTS variable in shorewall.conf to provide saner
-   behavior of the /etc/shorewall/hosts file.
+2. proxyarp option now works.
 
-3. Fix for spec file from Ajay Ramaswamy
+3. It is once again possible to specify a host list in an
+   /etc/shorewall/hosts entry.
 
-4. Update package description in shorewall.spec
+4. The lock file is now removed when the firewall script is killed by a
+   signal.
 
-5. Save counter reset time in /var/lib/shorewall/restarted
+5. Implemented "new not SYN" dropping.
 
-6. Display the counter reset time in shorewall show and status
-   commands.
-
-7. Centralize the adding of IP aliases
-
-8. Added MUTEX_TIMEOUT variable.
-
-9. Added 'proxyarp' interface option
-
-10. Re-enable REDIRECT rules.
-
-11. Make sure that mutex is released when firewall scripts is stopped.
-
-12. Re-enable host lists in /etc/shorewall/hosts
 
diff --git a/Shorewall/common.def b/Shorewall/common.def
index e070a3101..50edd3471 100644
--- a/Shorewall/common.def
+++ b/Shorewall/common.def
@@ -18,13 +18,6 @@ run_iptables -A common -p icmp -j icmpdef
 #
 run_iptables -A common -m state -p tcp --state INVALID -j DROP
 ############################################################################
-# accept ACKs and RSTs that aren't related to any session so that the 
-# protocol stack can handle them and so the ACKs can create connection 
-# tracking entries.
-#
-run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
-run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
-############################################################################
 # NETBIOS chatter
 #
 run_iptables -A common -p udp --dport 137:139     -j REJECT
diff --git a/Shorewall/firewall b/Shorewall/firewall
index e89c98091..3f9c0f0c7 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -192,16 +192,16 @@ run_tc() {
 ################################################################################
 createchain() # $1 = chain name, $2 = If non-null, don't create default rules
 {
+    local target
+
     run_iptables -N $1
 
     if [ $# -eq 1 ]; then
 	state="ESTABLISHED"
 	[ -n "$ALLOWRELATED" ] && state="$state,RELATED"
 	run_iptables -A $1 -m state --state $state -j ACCEPT
-	if [ -n "$NEWNOTSYN" ]; then
-	    CHAIN=$1
-	    . $NEWNOTSYN
-        fi
+	[ -n "$LOGNEWNOTSYN" ] && target=newnotsyn || target=DROP
+	run_iptables -A $1 -m state --state NEW -p tcp !--syn -j $target
     fi
 
     eval ${1}_exists=Yes
@@ -2699,6 +2699,8 @@ initialize_netfilter () {
 
     [ -n "$TC_ENABLED" ] && delete_tc
 
+    run_user_exit init
+
     echo "Deleting user chains..."
 
     setpolicy INPUT DROP
@@ -2711,12 +2713,28 @@ initialize_netfilter () {
     setcontinue INPUT
     setcontinue OUTPUT
 
-    run_user_exit init
-
     [ -n "$CLAMPMSS" ] && \
 	run_iptables -A FORWARD -p tcp \
 	    --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
+    
+    if [ -n "$LOGNEWNOTSYN" ]; then
+	createchain newnotsyn no
+        #
+        # Don't bother the world with these
+        #
+	run_iptables -A newnotsyn -p tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
+        #
+        # Log
+        #
+	run_iptables -A newnotsyn -j LOG \
+	    --log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
+        #
+        # DROP
+        #
+	run_iptables -A newnotsyn -p tcp -j DROP
+    fi
+
     createchain icmpdef no
     createchain common	no
     createchain reject	no
@@ -3392,6 +3410,7 @@ do_initialize() {
     DETECT_DNAT_IPADDRS=
     MERGE_HOSTS=
     MUTEX_TIMEOUT=
+    LOGNEWNOTSYN=
     stopping=
     have_mutex=
     masq_seq=1
@@ -3468,10 +3487,6 @@ do_initialize() {
     MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
     DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
     MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
-
-    NEWNOTSYN=`find_file newnotsyn`
-
-    [ -f $NEWNOTSYN ] || NEWNOTSYN=
 }
 
 ################################################################################
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 82604e7f2..d3e57380b 100755
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -8,13 +8,8 @@ New features include:
    addresses and for users who what to learn a bit more abound
    Shorewall than is described in the single-address guides.
 
-2) A new 'newnotsyn' extension script has been provided for the benefit
-   of those users who are experimenting with treatment of TCP packets
-   that are not part of or related to an existing connection and that
-   do not have the SYN flag set and the ACK flag reset. 
+2) Shorewall now drops non-SYN tcp packets that are not part of an
+   established connection. These packets can be optionally logged by
+   setting the new LOGNEWNOTSYN variable in shorewall.conf.
 
 
-3) The 'init' extension script is now called AFTER all existing user
-   chains have been deleted. Previously, this script was called just
-   before the chains were deleted.
-
diff --git a/Shorewall/shorewall b/Shorewall/shorewall
index a06ded68c..196b838cd 100755
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -201,6 +201,7 @@ display_chains()
 	showchain rfc1918
 	showchain blacklst
 	showchain reject
+	showchain newnotsyn
 	for zone in $zones all; do
 	    showchain ${zone}2all
 	    showchain @${zone}2all
diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf
index 9e1aacc17..36ccc6955 100755
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@@ -336,4 +336,17 @@ MERGE_HOSTS=Yes
 
 MUTEX_TIMEOUT=60
 
+#
+# LOGGING 'New not SYN' rejects
+#
+# When a TCP packet that does not have the SYN flag set and the ACK and RST
+# flags clear then unless the packet is part of an established connection,
+# it will be rejected by the firewall. If you want these rejects logged, 
+# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
+#
+# Example: LOGNEWNOTSYN=debug
+
+
+LOGNEWNOTSYN=
+
 #LAST LINE -- DO NOT REMOVE