New technique for dealing with NEW not SYN

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@175 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/firewall

@@ -198,8 +198,10 @@ createchain() # $1 = chain name, $2 = If non-null, don't create default rules
 	state="ESTABLISHED"
 	[ -n "$ALLOWRELATED" ] && state="$state,RELATED"
 	run_iptables -A $1 -m state --state $state -j ACCEPT
-	[ -z "$NEWNOTSYN" ] && \
+	if [ -n "$NEWNOTSYN" ]; then
-	    run_iptables -A $1 -p TCP !--syn -m state --state NEW -j badnew
+	    CHAIN=$1
+	    . $NEWNOTSYN
+        fi
     fi
 
     eval ${1}_exists=Yes
@@ -2697,8 +2699,6 @@ initialize_netfilter () {
 
     [ -n "$TC_ENABLED" ] && delete_tc
 
-    run_user_exit init
-
     echo "Deleting user chains..."
 
     setpolicy INPUT DROP
@@ -2711,19 +2711,12 @@ initialize_netfilter () {
     setcontinue INPUT
     setcontinue OUTPUT
 
+    run_user_exit init
+
     [ -n "$CLAMPMSS" ] && \
 	run_iptables -A FORWARD -p tcp \
 	    --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
-    if [ -z "$NEWNOTSYN" ]; then
-	createchain badnew no
-	[ -n "$LOGNEWNOTSYN" ] && \
-	    run_iptables -A badnew -j LOG $LOGPARMS \
-	    --log-prefix "Shorewall:badnew:DROP:" \
-	    --log-level $LOGNEWNOTSYN
-	run_iptables -A badnew -j DROP
-    fi
-
     createchain icmpdef no
     createchain common	no
     createchain reject	no
@@ -3399,8 +3392,6 @@ do_initialize() {
     DETECT_DNAT_IPADDRS=
     MERGE_HOSTS=
     MUTEX_TIMEOUT=
-    NEWNOTSYN=
-    LOGNEWNOTSYN=
     stopping=
     have_mutex=
     masq_seq=1
@@ -3477,7 +3468,10 @@ do_initialize() {
     MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
     DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
     MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
-    NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
+
+    NEWNOTSYN=`find_file newnotsyn`
+
+    [ -f $NEWNOTSYN ] || NEWNOTSYN=
 }
 
 ################################################################################

Shorewall/releasenotes.txt

@@ -1,39 +1,20 @@
-This is a minor release of Shorewall.
+This is a minor release of Shorewall which rolls up a number of bug
+fixes.
 
-In this release:
+New features include:
 
-1. Empty and invalid source and destination qualifiers are now detected
+1) The new "Shorewall Setup Guide" is included in this release. This
-   in the rules file. It is a good idea to use the 'shorewall check'
+   guide is intended for users who have multiple static external IP
-   command before you issue a 'shorewall restart' command be be sure
+   addresses and for users who what to learn a bit more abound
-   that you don't have any configuration problems that will prevent a
+   Shorewall than is described in the single-address guides.
-   successful restart.
 
-2. Added MERGE_HOSTS variable in shorewall.conf to provide saner
+2) A new 'newnotsyn' extension script has been provided for the benefit
-   behavior of the /etc/shorewall/hosts file.
+   of those users who are experimenting with treatment of TCP packets
+   that are not part of or related to an existing connection and that
+   do not have the SYN flag set and the ACK flag reset. 
 
-3. The time that the counters were last reset is now displayed in the
-   heading of the 'status' and 'show' commands.
 
-4. Added MUTEX_TIMEOUT variable in shorewall.conf and changed the way
+3) The 'init' extension script is now called AFTER all existing user
-   in which Shorewall protects itself from concurrent state
+   chains have been deleted. Previously, this script was called just
-   changes. 
+   before the chains were deleted.
 
-   Previously, if a state-changing operation (like restart)
-   found a lock file, it would wait for 30 seconds for the lock file to
-   be removed. If the file was not removed within 30 seconds, a message
-   was issued and the operation was aborted. 
-
-   With the new code, the wait time is determined by the value of
-   MUTEX_TIMEOUT (default 60 seconds). If the file is not removed
-   within MUTEX_TIMEOUT, the state-changing operation will assume that
-   the lock file is stale and will issue a message and continue.
-
-   An appopriate setting for MUTEX_TIMEOUT is twice the time that it takes
-   your firewall system to process a "shorewall restart" command.
-
-5. Added 'proxyarp' interface option to facilitate Proxy ARP subnetting as
-   described in the Proxy ARP subnetting mini-HOWTO
-   (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/)
-
-   Specifying this option for an interface causes Shorewall to set
-   /proc/sys/net/ipv4/conf/<interface>/proxy_arp.

Shorewall/shorewall.conf

@@ -336,34 +336,4 @@ MERGE_HOSTS=Yes
 
 MUTEX_TIMEOUT=60
 
-#
-# NEWNOTSYN
-#
-# Normally Shorewall will allow your firewall to be rebooted without disturbing
-# existing TCP connections (the connections will resume after the reboot is
-# finished). This makes the firewall succeptable to a DOS attack that uses 
-# a certain set of flags in the TCP header.
-#
-# To disable this feature, set NEWNOTSYN=No. To enable this feature, set
-# NEWNOTSYN=Yes or leave the variable empty.
-#
- 
-NEWNOTSYN=Yes
-
-#
-# NEWNOTSYN Logging
-#
-# If you select NEWNOTSYN=No and you want Shorewall to log TCP packets that
-# don't match any current connection and that don't have the SYN flag set in
-# their header, set this variable to the syslog level that you want to log
-# them at. If you don't want these packets logged, set this variable to empty
-# (LOGNEWNOTSYN=""). This variable has no effect if NEWNOTSYN=Yes or
-# NEWNOTSYN="".
-#
-# NOTE: If you set this variable to a non-empty value, do NOT post to the 
-#       mailing list asking "What does this log entry mean?" if the log entry
-#	contains the string "Shorewall:badnew:".
-
-LOGNEWNOTSYN=
-
 #LAST LINE -- DO NOT REMOVE