diff --git a/Shorewall2/actions.std b/Shorewall2/actions.std index 955d3691a..b762d2730 100644 --- a/Shorewall2/actions.std +++ b/Shorewall2/actions.std @@ -6,7 +6,13 @@ # # dropBcast #Silently Drop Broadcast/multicast # dropNonSyn #Silently Drop Non-syn TCP packets -# rejectNonSyn #Silently Reject Non-syn TCP packets +# rejNonSyn #Silently Reject Non-syn TCP packets +# logNonSyn #Log Non-syn TCP packets with disposition LOG +# dLogNonSyn #Log Non-syn TCP packets with disposition DROP +# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT +# +# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in +# shorewall.conf. If that option isn't specified then 'info' is used. # #ACTION diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 622695cee..ee005bd0a 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -2744,7 +2744,7 @@ createactionchain() # $1 = chain name process_actions1() { - ACTIONS="dropBcast dropNonSyn dropNotSyn rejectNotSyn logNotSyn rLogNotSyn dLogNotSyn" + ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn" USEDACTIONS= strip_file actions @@ -2906,7 +2906,7 @@ process_actions2() { dropNotSyn) [ "$COMMAND" != check ] && run_iptables -A dropNotSyn -p tcp ! --syn -j DROP ;; - rejectNotSyn) + rejNotSyn) [ "$COMMAND" != check ] && run_iptables -A rejectNotSyn -p tcp ! --syn -j REJECT --reject-with tcp-reset ;; logNotSyn) diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 2a57681bc..d57422947 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -46,7 +46,7 @@ New Features: match the name of an entry in /etc/shorewall/interfaces or the name of a bridge port appearing in /etc/shorewall/hosts). -3) A new 'rejectNonSyn' built-in standard action has been added. This +3) A new 'rejNonSyn' built-in standard action has been added. This action responds to "New not SYN" packets with an RST. The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'