mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-22 10:41:23 +02:00
Update versions to 1.3.6\; Add NEWNOTSYN parameter
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@173 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
026645036e
commit
3ae4938cec
@ -28,7 +28,7 @@
|
|||||||
# shown below. Simply run this script to revert to your prior version of
|
# shown below. Simply run this script to revert to your prior version of
|
||||||
# Shoreline Firewall.
|
# Shoreline Firewall.
|
||||||
|
|
||||||
VERSION=1.3.5b
|
VERSION=1.3.6
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -198,6 +198,8 @@ createchain() # $1 = chain name, $2 = If non-null, don't create default rules
|
|||||||
state="ESTABLISHED"
|
state="ESTABLISHED"
|
||||||
[ -n "$ALLOWRELATED" ] && state="$state,RELATED"
|
[ -n "$ALLOWRELATED" ] && state="$state,RELATED"
|
||||||
run_iptables -A $1 -m state --state $state -j ACCEPT
|
run_iptables -A $1 -m state --state $state -j ACCEPT
|
||||||
|
[ -z "$NEWNOTSYN" ] && \
|
||||||
|
run_iptables -A $1 -p TCP !--syn -m state --state NEW -j badnew
|
||||||
fi
|
fi
|
||||||
|
|
||||||
eval ${1}_exists=Yes
|
eval ${1}_exists=Yes
|
||||||
@ -2713,11 +2715,20 @@ initialize_netfilter () {
|
|||||||
run_iptables -A FORWARD -p tcp \
|
run_iptables -A FORWARD -p tcp \
|
||||||
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||||
|
|
||||||
|
if [ -z "$NEWNOTSYN" ]; then
|
||||||
|
createchain badnew no
|
||||||
|
[ -n "$LOGNEWNOTSYN" ] && \
|
||||||
|
run_iptables -A badnew -j LOG $LOGPARMS \
|
||||||
|
--log-prefix "Shorewall:badnew:DROP:" \
|
||||||
|
--log-level $LOGNEWNOTSYN
|
||||||
|
run_iptables -A badnew -j DROP
|
||||||
|
fi
|
||||||
|
|
||||||
createchain icmpdef no
|
createchain icmpdef no
|
||||||
createchain common no
|
createchain common no
|
||||||
createchain reject no
|
createchain reject no
|
||||||
createchain dynamic no
|
createchain dynamic no
|
||||||
|
|
||||||
if [ -f /var/lib/shorewall/save ]; then
|
if [ -f /var/lib/shorewall/save ]; then
|
||||||
echo "Restoring dynamic rules..."
|
echo "Restoring dynamic rules..."
|
||||||
|
|
||||||
@ -3388,6 +3399,7 @@ do_initialize() {
|
|||||||
DETECT_DNAT_IPADDRS=
|
DETECT_DNAT_IPADDRS=
|
||||||
MERGE_HOSTS=
|
MERGE_HOSTS=
|
||||||
MUTEX_TIMEOUT=
|
MUTEX_TIMEOUT=
|
||||||
|
NEWNOTSYN=
|
||||||
stopping=
|
stopping=
|
||||||
have_mutex=
|
have_mutex=
|
||||||
masq_seq=1
|
masq_seq=1
|
||||||
@ -3464,6 +3476,7 @@ do_initialize() {
|
|||||||
MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
|
MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
|
||||||
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
|
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
|
||||||
MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
|
MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
|
||||||
|
NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
|
||||||
}
|
}
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
|
@ -54,7 +54,7 @@
|
|||||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=1.3.5b
|
VERSION=1.3.6
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -336,4 +336,34 @@ MERGE_HOSTS=Yes
|
|||||||
|
|
||||||
MUTEX_TIMEOUT=60
|
MUTEX_TIMEOUT=60
|
||||||
|
|
||||||
|
#
|
||||||
|
# NEWNOTSYN
|
||||||
|
#
|
||||||
|
# Normally Shorewall will allow your firewall to be rebooted without disturbing
|
||||||
|
# existing TCP connections (the connections will resume after the reboot is
|
||||||
|
# finished). This makes the firewall succeptable to a DOS attack that uses
|
||||||
|
# a certain set of flags in the TCP header.
|
||||||
|
#
|
||||||
|
# To disable this feature, set NEWNOTSYN=No. To enable this feature, set
|
||||||
|
# NEWNOTSYN=Yes or leave the variable empty.
|
||||||
|
#
|
||||||
|
|
||||||
|
NEWNOTSYN=Yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# NEWNOTSYN Logging
|
||||||
|
#
|
||||||
|
# If you select NEWNOTSYN=No and you want Shorewall to log TCP packets that
|
||||||
|
# don't match any current connection and that don't have the SYN flag set in
|
||||||
|
# their header, set this variable to the syslog level that you want to log
|
||||||
|
# them at. If you don't want these packets logged, set this variable to empty
|
||||||
|
# (LOGNEWNOTSYN=""). This variable has no effect if NEWNOTSYN=Yes or
|
||||||
|
# NEWNOTSYN="".
|
||||||
|
#
|
||||||
|
# NOTE: If you set this variable to a non-empty value, do NOT post to the
|
||||||
|
# mailing list asking "What does this log entry mean?" if the log entry
|
||||||
|
# contains the string "Shorewall:badnew:".
|
||||||
|
|
||||||
|
LOGNEWNOTSYN=
|
||||||
|
|
||||||
#LAST LINE -- DO NOT REMOVE
|
#LAST LINE -- DO NOT REMOVE
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
%define name shorewall
|
%define name shorewall
|
||||||
%define version 1.3.5b
|
%define version 1.3.6
|
||||||
%define release 1
|
%define release 1
|
||||||
%define prefix /usr
|
%define prefix /usr
|
||||||
|
|
||||||
@ -76,6 +76,8 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
|
|||||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sun Aug 04 2002 Tom Eastep <tom@shorewall.net>
|
||||||
|
- Changed version to 1.3.6
|
||||||
* Mon Jul 29 2002 Tom Eastep <tom@shorewall.net>
|
* Mon Jul 29 2002 Tom Eastep <tom@shorewall.net>
|
||||||
- Changed version to 1.3.5b
|
- Changed version to 1.3.5b
|
||||||
* Sat Jul 13 2002 Tom Eastep <tom@shorewall.net>
|
* Sat Jul 13 2002 Tom Eastep <tom@shorewall.net>
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Seattle Firewall
|
# shown below. Simply run this script to remove Seattle Firewall
|
||||||
|
|
||||||
VERSION=1.3.5b
|
VERSION=1.3.6
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
Loading…
x
Reference in New Issue
Block a user