Update versions to 1.3.6\; Add NEWNOTSYN parameter

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@173 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-08-05 14:40:06 +00:00
parent 026645036e
commit 3ae4938cec
6 changed files with 50 additions and 5 deletions

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.3.5b
VERSION=1.3.6
usage() # $1 = exit status
{

View File

@ -198,6 +198,8 @@ createchain() # $1 = chain name, $2 = If non-null, don't create default rules
state="ESTABLISHED"
[ -n "$ALLOWRELATED" ] && state="$state,RELATED"
run_iptables -A $1 -m state --state $state -j ACCEPT
[ -z "$NEWNOTSYN" ] && \
run_iptables -A $1 -p TCP !--syn -m state --state NEW -j badnew
fi
eval ${1}_exists=Yes
@ -2713,11 +2715,20 @@ initialize_netfilter () {
run_iptables -A FORWARD -p tcp \
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
if [ -z "$NEWNOTSYN" ]; then
createchain badnew no
[ -n "$LOGNEWNOTSYN" ] && \
run_iptables -A badnew -j LOG $LOGPARMS \
--log-prefix "Shorewall:badnew:DROP:" \
--log-level $LOGNEWNOTSYN
run_iptables -A badnew -j DROP
fi
createchain icmpdef no
createchain common no
createchain reject no
createchain dynamic no
if [ -f /var/lib/shorewall/save ]; then
echo "Restoring dynamic rules..."
@ -3388,6 +3399,7 @@ do_initialize() {
DETECT_DNAT_IPADDRS=
MERGE_HOSTS=
MUTEX_TIMEOUT=
NEWNOTSYN=
stopping=
have_mutex=
masq_seq=1
@ -3464,6 +3476,7 @@ do_initialize() {
MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
}
################################################################################

View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.3.5b
VERSION=1.3.6
usage() # $1 = exit status
{

View File

@ -336,4 +336,34 @@ MERGE_HOSTS=Yes
MUTEX_TIMEOUT=60
#
# NEWNOTSYN
#
# Normally Shorewall will allow your firewall to be rebooted without disturbing
# existing TCP connections (the connections will resume after the reboot is
# finished). This makes the firewall succeptable to a DOS attack that uses
# a certain set of flags in the TCP header.
#
# To disable this feature, set NEWNOTSYN=No. To enable this feature, set
# NEWNOTSYN=Yes or leave the variable empty.
#
NEWNOTSYN=Yes
#
# NEWNOTSYN Logging
#
# If you select NEWNOTSYN=No and you want Shorewall to log TCP packets that
# don't match any current connection and that don't have the SYN flag set in
# their header, set this variable to the syslog level that you want to log
# them at. If you don't want these packets logged, set this variable to empty
# (LOGNEWNOTSYN=""). This variable has no effect if NEWNOTSYN=Yes or
# NEWNOTSYN="".
#
# NOTE: If you set this variable to a non-empty value, do NOT post to the
# mailing list asking "What does this log entry mean?" if the log entry
# contains the string "Shorewall:badnew:".
LOGNEWNOTSYN=
#LAST LINE -- DO NOT REMOVE

View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.3.5b
%define version 1.3.6
%define release 1
%define prefix /usr
@ -76,6 +76,8 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Sun Aug 04 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.6
* Mon Jul 29 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.5b
* Sat Jul 13 2002 Tom Eastep <tom@shorewall.net>

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.5b
VERSION=1.3.6
usage() # $1 = exit status
{