Update versions to 1.3.6\; Add NEWNOTSYN parameter

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@173 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of 
 #       Shoreline Firewall.
 
-VERSION=1.3.5b
+VERSION=1.3.6
 
 usage() # $1 = exit status
 {

Shorewall/firewall

@@ -198,6 +198,8 @@ createchain() # $1 = chain name, $2 = If non-null, don't create default rules
 	state="ESTABLISHED"
 	[ -n "$ALLOWRELATED" ] && state="$state,RELATED"
 	run_iptables -A $1 -m state --state $state -j ACCEPT
+	[ -z "$NEWNOTSYN" ] && \
+	    run_iptables -A $1 -p TCP !--syn -m state --state NEW -j badnew
     fi
 
     eval ${1}_exists=Yes
@@ -2713,11 +2715,20 @@ initialize_netfilter () {
 	run_iptables -A FORWARD -p tcp \
 	    --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
+    if [ -z "$NEWNOTSYN" ]; then
+	createchain badnew no
+	[ -n "$LOGNEWNOTSYN" ] && \
+	    run_iptables -A badnew -j LOG $LOGPARMS \
+	    --log-prefix "Shorewall:badnew:DROP:" \
+	    --log-level $LOGNEWNOTSYN
+	run_iptables -A badnew -j DROP
+    fi
+
     createchain icmpdef no
     createchain common	no
     createchain reject	no
     createchain dynamic no
-    
+	    
     if [ -f /var/lib/shorewall/save ]; then
 	echo "Restoring dynamic rules..."
 
@@ -3388,6 +3399,7 @@ do_initialize() {
     DETECT_DNAT_IPADDRS=
     MERGE_HOSTS=
     MUTEX_TIMEOUT=
+    NEWNOTSYN=
     stopping=
     have_mutex=
     masq_seq=1
@@ -3464,6 +3476,7 @@ do_initialize() {
     MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
     DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
     MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
+    NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
 }
 
 ################################################################################

Shorewall/install.sh

@@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
 
-VERSION=1.3.5b
+VERSION=1.3.6
 
 usage() # $1 = exit status
 {

Shorewall/shorewall.conf

@@ -336,4 +336,34 @@ MERGE_HOSTS=Yes
 
 MUTEX_TIMEOUT=60
 
+#
+# NEWNOTSYN
+#
+# Normally Shorewall will allow your firewall to be rebooted without disturbing
+# existing TCP connections (the connections will resume after the reboot is
+# finished). This makes the firewall succeptable to a DOS attack that uses 
+# a certain set of flags in the TCP header.
+#
+# To disable this feature, set NEWNOTSYN=No. To enable this feature, set
+# NEWNOTSYN=Yes or leave the variable empty.
+#
+ 
+NEWNOTSYN=Yes
+
+#
+# NEWNOTSYN Logging
+#
+# If you select NEWNOTSYN=No and you want Shorewall to log TCP packets that
+# don't match any current connection and that don't have the SYN flag set in
+# their header, set this variable to the syslog level that you want to log
+# them at. If you don't want these packets logged, set this variable to empty
+# (LOGNEWNOTSYN=""). This variable has no effect if NEWNOTSYN=Yes or
+# NEWNOTSYN="".
+#
+# NOTE: If you set this variable to a non-empty value, do NOT post to the 
+#       mailing list asking "What does this log entry mean?" if the log entry
+#	contains the string "Shorewall:badnew:".
+
+LOGNEWNOTSYN=
+
 #LAST LINE -- DO NOT REMOVE

Shorewall/shorewall.spec

@@ -1,5 +1,5 @@
 %define name shorewall
-%define version 1.3.5b
+%define version 1.3.6
 %define release 1
 %define prefix /usr
 
@@ -76,6 +76,8 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 
 %changelog
+* Sun Aug 04 2002 Tom Eastep <tom@shorewall.net>
+- Changed version to 1.3.6
 * Mon Jul 29 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.5b
 * Sat Jul 13 2002 Tom Eastep <tom@shorewall.net>

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
 
-VERSION=1.3.5b
+VERSION=1.3.6
 
 usage() # $1 = exit status
 {