mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Update versions to 1.3.6\; Add NEWNOTSYN parameter
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@173 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
026645036e
commit
3ae4938cec
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=1.3.5b
|
||||
VERSION=1.3.6
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -198,6 +198,8 @@ createchain() # $1 = chain name, $2 = If non-null, don't create default rules
|
||||
state="ESTABLISHED"
|
||||
[ -n "$ALLOWRELATED" ] && state="$state,RELATED"
|
||||
run_iptables -A $1 -m state --state $state -j ACCEPT
|
||||
[ -z "$NEWNOTSYN" ] && \
|
||||
run_iptables -A $1 -p TCP !--syn -m state --state NEW -j badnew
|
||||
fi
|
||||
|
||||
eval ${1}_exists=Yes
|
||||
@ -2713,11 +2715,20 @@ initialize_netfilter () {
|
||||
run_iptables -A FORWARD -p tcp \
|
||||
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||
|
||||
if [ -z "$NEWNOTSYN" ]; then
|
||||
createchain badnew no
|
||||
[ -n "$LOGNEWNOTSYN" ] && \
|
||||
run_iptables -A badnew -j LOG $LOGPARMS \
|
||||
--log-prefix "Shorewall:badnew:DROP:" \
|
||||
--log-level $LOGNEWNOTSYN
|
||||
run_iptables -A badnew -j DROP
|
||||
fi
|
||||
|
||||
createchain icmpdef no
|
||||
createchain common no
|
||||
createchain reject no
|
||||
createchain dynamic no
|
||||
|
||||
|
||||
if [ -f /var/lib/shorewall/save ]; then
|
||||
echo "Restoring dynamic rules..."
|
||||
|
||||
@ -3388,6 +3399,7 @@ do_initialize() {
|
||||
DETECT_DNAT_IPADDRS=
|
||||
MERGE_HOSTS=
|
||||
MUTEX_TIMEOUT=
|
||||
NEWNOTSYN=
|
||||
stopping=
|
||||
have_mutex=
|
||||
masq_seq=1
|
||||
@ -3464,6 +3476,7 @@ do_initialize() {
|
||||
MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
|
||||
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
|
||||
MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
|
||||
NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
|
||||
}
|
||||
|
||||
################################################################################
|
||||
|
@ -54,7 +54,7 @@
|
||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||
#
|
||||
|
||||
VERSION=1.3.5b
|
||||
VERSION=1.3.6
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -336,4 +336,34 @@ MERGE_HOSTS=Yes
|
||||
|
||||
MUTEX_TIMEOUT=60
|
||||
|
||||
#
|
||||
# NEWNOTSYN
|
||||
#
|
||||
# Normally Shorewall will allow your firewall to be rebooted without disturbing
|
||||
# existing TCP connections (the connections will resume after the reboot is
|
||||
# finished). This makes the firewall succeptable to a DOS attack that uses
|
||||
# a certain set of flags in the TCP header.
|
||||
#
|
||||
# To disable this feature, set NEWNOTSYN=No. To enable this feature, set
|
||||
# NEWNOTSYN=Yes or leave the variable empty.
|
||||
#
|
||||
|
||||
NEWNOTSYN=Yes
|
||||
|
||||
#
|
||||
# NEWNOTSYN Logging
|
||||
#
|
||||
# If you select NEWNOTSYN=No and you want Shorewall to log TCP packets that
|
||||
# don't match any current connection and that don't have the SYN flag set in
|
||||
# their header, set this variable to the syslog level that you want to log
|
||||
# them at. If you don't want these packets logged, set this variable to empty
|
||||
# (LOGNEWNOTSYN=""). This variable has no effect if NEWNOTSYN=Yes or
|
||||
# NEWNOTSYN="".
|
||||
#
|
||||
# NOTE: If you set this variable to a non-empty value, do NOT post to the
|
||||
# mailing list asking "What does this log entry mean?" if the log entry
|
||||
# contains the string "Shorewall:badnew:".
|
||||
|
||||
LOGNEWNOTSYN=
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 1.3.5b
|
||||
%define version 1.3.6
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -76,6 +76,8 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Sun Aug 04 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.6
|
||||
* Mon Jul 29 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.5b
|
||||
* Sat Jul 13 2002 Tom Eastep <tom@shorewall.net>
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=1.3.5b
|
||||
VERSION=1.3.6
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user