mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
New technique for dealing with NEW not SYN
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@175 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
7b00737a94
commit
3428f59895
@ -198,8 +198,10 @@ createchain() # $1 = chain name, $2 = If non-null, don't create default rules
|
||||
state="ESTABLISHED"
|
||||
[ -n "$ALLOWRELATED" ] && state="$state,RELATED"
|
||||
run_iptables -A $1 -m state --state $state -j ACCEPT
|
||||
[ -z "$NEWNOTSYN" ] && \
|
||||
run_iptables -A $1 -p TCP !--syn -m state --state NEW -j badnew
|
||||
if [ -n "$NEWNOTSYN" ]; then
|
||||
CHAIN=$1
|
||||
. $NEWNOTSYN
|
||||
fi
|
||||
fi
|
||||
|
||||
eval ${1}_exists=Yes
|
||||
@ -2697,8 +2699,6 @@ initialize_netfilter () {
|
||||
|
||||
[ -n "$TC_ENABLED" ] && delete_tc
|
||||
|
||||
run_user_exit init
|
||||
|
||||
echo "Deleting user chains..."
|
||||
|
||||
setpolicy INPUT DROP
|
||||
@ -2711,19 +2711,12 @@ initialize_netfilter () {
|
||||
setcontinue INPUT
|
||||
setcontinue OUTPUT
|
||||
|
||||
run_user_exit init
|
||||
|
||||
[ -n "$CLAMPMSS" ] && \
|
||||
run_iptables -A FORWARD -p tcp \
|
||||
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||
|
||||
if [ -z "$NEWNOTSYN" ]; then
|
||||
createchain badnew no
|
||||
[ -n "$LOGNEWNOTSYN" ] && \
|
||||
run_iptables -A badnew -j LOG $LOGPARMS \
|
||||
--log-prefix "Shorewall:badnew:DROP:" \
|
||||
--log-level $LOGNEWNOTSYN
|
||||
run_iptables -A badnew -j DROP
|
||||
fi
|
||||
|
||||
createchain icmpdef no
|
||||
createchain common no
|
||||
createchain reject no
|
||||
@ -3399,8 +3392,6 @@ do_initialize() {
|
||||
DETECT_DNAT_IPADDRS=
|
||||
MERGE_HOSTS=
|
||||
MUTEX_TIMEOUT=
|
||||
NEWNOTSYN=
|
||||
LOGNEWNOTSYN=
|
||||
stopping=
|
||||
have_mutex=
|
||||
masq_seq=1
|
||||
@ -3477,7 +3468,10 @@ do_initialize() {
|
||||
MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
|
||||
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
|
||||
MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
|
||||
NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
|
||||
|
||||
NEWNOTSYN=`find_file newnotsyn`
|
||||
|
||||
[ -f $NEWNOTSYN ] || NEWNOTSYN=
|
||||
}
|
||||
|
||||
################################################################################
|
||||
|
@ -1,39 +1,20 @@
|
||||
This is a minor release of Shorewall.
|
||||
This is a minor release of Shorewall which rolls up a number of bug
|
||||
fixes.
|
||||
|
||||
In this release:
|
||||
New features include:
|
||||
|
||||
1. Empty and invalid source and destination qualifiers are now detected
|
||||
in the rules file. It is a good idea to use the 'shorewall check'
|
||||
command before you issue a 'shorewall restart' command be be sure
|
||||
that you don't have any configuration problems that will prevent a
|
||||
successful restart.
|
||||
1) The new "Shorewall Setup Guide" is included in this release. This
|
||||
guide is intended for users who have multiple static external IP
|
||||
addresses and for users who what to learn a bit more abound
|
||||
Shorewall than is described in the single-address guides.
|
||||
|
||||
2. Added MERGE_HOSTS variable in shorewall.conf to provide saner
|
||||
behavior of the /etc/shorewall/hosts file.
|
||||
2) A new 'newnotsyn' extension script has been provided for the benefit
|
||||
of those users who are experimenting with treatment of TCP packets
|
||||
that are not part of or related to an existing connection and that
|
||||
do not have the SYN flag set and the ACK flag reset.
|
||||
|
||||
3. The time that the counters were last reset is now displayed in the
|
||||
heading of the 'status' and 'show' commands.
|
||||
|
||||
4. Added MUTEX_TIMEOUT variable in shorewall.conf and changed the way
|
||||
in which Shorewall protects itself from concurrent state
|
||||
changes.
|
||||
3) The 'init' extension script is now called AFTER all existing user
|
||||
chains have been deleted. Previously, this script was called just
|
||||
before the chains were deleted.
|
||||
|
||||
Previously, if a state-changing operation (like restart)
|
||||
found a lock file, it would wait for 30 seconds for the lock file to
|
||||
be removed. If the file was not removed within 30 seconds, a message
|
||||
was issued and the operation was aborted.
|
||||
|
||||
With the new code, the wait time is determined by the value of
|
||||
MUTEX_TIMEOUT (default 60 seconds). If the file is not removed
|
||||
within MUTEX_TIMEOUT, the state-changing operation will assume that
|
||||
the lock file is stale and will issue a message and continue.
|
||||
|
||||
An appopriate setting for MUTEX_TIMEOUT is twice the time that it takes
|
||||
your firewall system to process a "shorewall restart" command.
|
||||
|
||||
5. Added 'proxyarp' interface option to facilitate Proxy ARP subnetting as
|
||||
described in the Proxy ARP subnetting mini-HOWTO
|
||||
(http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/)
|
||||
|
||||
Specifying this option for an interface causes Shorewall to set
|
||||
/proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
||||
|
@ -336,34 +336,4 @@ MERGE_HOSTS=Yes
|
||||
|
||||
MUTEX_TIMEOUT=60
|
||||
|
||||
#
|
||||
# NEWNOTSYN
|
||||
#
|
||||
# Normally Shorewall will allow your firewall to be rebooted without disturbing
|
||||
# existing TCP connections (the connections will resume after the reboot is
|
||||
# finished). This makes the firewall succeptable to a DOS attack that uses
|
||||
# a certain set of flags in the TCP header.
|
||||
#
|
||||
# To disable this feature, set NEWNOTSYN=No. To enable this feature, set
|
||||
# NEWNOTSYN=Yes or leave the variable empty.
|
||||
#
|
||||
|
||||
NEWNOTSYN=Yes
|
||||
|
||||
#
|
||||
# NEWNOTSYN Logging
|
||||
#
|
||||
# If you select NEWNOTSYN=No and you want Shorewall to log TCP packets that
|
||||
# don't match any current connection and that don't have the SYN flag set in
|
||||
# their header, set this variable to the syslog level that you want to log
|
||||
# them at. If you don't want these packets logged, set this variable to empty
|
||||
# (LOGNEWNOTSYN=""). This variable has no effect if NEWNOTSYN=Yes or
|
||||
# NEWNOTSYN="".
|
||||
#
|
||||
# NOTE: If you set this variable to a non-empty value, do NOT post to the
|
||||
# mailing list asking "What does this log entry mean?" if the log entry
|
||||
# contains the string "Shorewall:badnew:".
|
||||
|
||||
LOGNEWNOTSYN=
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
||||
|
Loading…
Reference in New Issue
Block a user