From 6f5a5cf9c0e5a70deedf86b1517b759d8f10d1cd Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Fri, 13 Dec 2002 23:39:57 +0000
Subject: [PATCH] Reject SPT=0 SYN under 'tcpflags' option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@366 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 STABLE/firewall | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/STABLE/firewall b/STABLE/firewall
index e4d222888..3ee873ae0 100755
--- a/STABLE/firewall
+++ b/STABLE/firewall
@@ -3326,6 +3326,12 @@ add_common_rules() {
 	run_iptables -A tcpflags -p tcp --tcp-flags ALL NONE        $disposition
 	run_iptables -A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST $disposition
 	run_iptables -A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN $disposition
+	#
+	# A Shorewall user reported seeing outgoing SYN ACK packets with DPT=0
+	# That prompted me to add the following which will stop an incoming
+	# SYN with SPT=0
+	#
+	run_iptables -A tcpflags -p tcp --syn --sport 0             $disposition
 	
 	for interface in $interfaces; do
 	    for chain in `first_chains $interface`; do