New technique for dealing with NEW not SYN

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@175 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-08-05 23:34:46 +00:00
parent 7b00737a94
commit 3428f59895
3 changed files with 24 additions and 79 deletions

View File

@ -198,8 +198,10 @@ createchain() # $1 = chain name, $2 = If non-null, don't create default rules
state="ESTABLISHED"
[ -n "$ALLOWRELATED" ] && state="$state,RELATED"
run_iptables -A $1 -m state --state $state -j ACCEPT
[ -z "$NEWNOTSYN" ] && \
run_iptables -A $1 -p TCP !--syn -m state --state NEW -j badnew
if [ -n "$NEWNOTSYN" ]; then
CHAIN=$1
. $NEWNOTSYN
fi
fi
eval ${1}_exists=Yes
@ -2697,8 +2699,6 @@ initialize_netfilter () {
[ -n "$TC_ENABLED" ] && delete_tc
run_user_exit init
echo "Deleting user chains..."
setpolicy INPUT DROP
@ -2711,19 +2711,12 @@ initialize_netfilter () {
setcontinue INPUT
setcontinue OUTPUT
run_user_exit init
[ -n "$CLAMPMSS" ] && \
run_iptables -A FORWARD -p tcp \
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
if [ -z "$NEWNOTSYN" ]; then
createchain badnew no
[ -n "$LOGNEWNOTSYN" ] && \
run_iptables -A badnew -j LOG $LOGPARMS \
--log-prefix "Shorewall:badnew:DROP:" \
--log-level $LOGNEWNOTSYN
run_iptables -A badnew -j DROP
fi
createchain icmpdef no
createchain common no
createchain reject no
@ -3399,8 +3392,6 @@ do_initialize() {
DETECT_DNAT_IPADDRS=
MERGE_HOSTS=
MUTEX_TIMEOUT=
NEWNOTSYN=
LOGNEWNOTSYN=
stopping=
have_mutex=
masq_seq=1
@ -3477,7 +3468,10 @@ do_initialize() {
MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
NEWNOTSYN=`find_file newnotsyn`
[ -f $NEWNOTSYN ] || NEWNOTSYN=
}
################################################################################

View File

@ -1,39 +1,20 @@
This is a minor release of Shorewall.
This is a minor release of Shorewall which rolls up a number of bug
fixes.
In this release:
New features include:
1. Empty and invalid source and destination qualifiers are now detected
in the rules file. It is a good idea to use the 'shorewall check'
command before you issue a 'shorewall restart' command be be sure
that you don't have any configuration problems that will prevent a
successful restart.
1) The new "Shorewall Setup Guide" is included in this release. This
guide is intended for users who have multiple static external IP
addresses and for users who what to learn a bit more abound
Shorewall than is described in the single-address guides.
2. Added MERGE_HOSTS variable in shorewall.conf to provide saner
behavior of the /etc/shorewall/hosts file.
2) A new 'newnotsyn' extension script has been provided for the benefit
of those users who are experimenting with treatment of TCP packets
that are not part of or related to an existing connection and that
do not have the SYN flag set and the ACK flag reset.
3. The time that the counters were last reset is now displayed in the
heading of the 'status' and 'show' commands.
4. Added MUTEX_TIMEOUT variable in shorewall.conf and changed the way
in which Shorewall protects itself from concurrent state
changes.
3) The 'init' extension script is now called AFTER all existing user
chains have been deleted. Previously, this script was called just
before the chains were deleted.
Previously, if a state-changing operation (like restart)
found a lock file, it would wait for 30 seconds for the lock file to
be removed. If the file was not removed within 30 seconds, a message
was issued and the operation was aborted.
With the new code, the wait time is determined by the value of
MUTEX_TIMEOUT (default 60 seconds). If the file is not removed
within MUTEX_TIMEOUT, the state-changing operation will assume that
the lock file is stale and will issue a message and continue.
An appopriate setting for MUTEX_TIMEOUT is twice the time that it takes
your firewall system to process a "shorewall restart" command.
5. Added 'proxyarp' interface option to facilitate Proxy ARP subnetting as
described in the Proxy ARP subnetting mini-HOWTO
(http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/)
Specifying this option for an interface causes Shorewall to set
/proc/sys/net/ipv4/conf/<interface>/proxy_arp.

View File

@ -336,34 +336,4 @@ MERGE_HOSTS=Yes
MUTEX_TIMEOUT=60
#
# NEWNOTSYN
#
# Normally Shorewall will allow your firewall to be rebooted without disturbing
# existing TCP connections (the connections will resume after the reboot is
# finished). This makes the firewall succeptable to a DOS attack that uses
# a certain set of flags in the TCP header.
#
# To disable this feature, set NEWNOTSYN=No. To enable this feature, set
# NEWNOTSYN=Yes or leave the variable empty.
#
NEWNOTSYN=Yes
#
# NEWNOTSYN Logging
#
# If you select NEWNOTSYN=No and you want Shorewall to log TCP packets that
# don't match any current connection and that don't have the SYN flag set in
# their header, set this variable to the syslog level that you want to log
# them at. If you don't want these packets logged, set this variable to empty
# (LOGNEWNOTSYN=""). This variable has no effect if NEWNOTSYN=Yes or
# NEWNOTSYN="".
#
# NOTE: If you set this variable to a non-empty value, do NOT post to the
# mailing list asking "What does this log entry mean?" if the log entry
# contains the string "Shorewall:badnew:".
LOGNEWNOTSYN=
#LAST LINE -- DO NOT REMOVE