Add DROPINVALID Option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1806 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-12-07 00:46:46 +00:00
parent e0b5a86257
commit 7aaabbd85c
2 changed files with 42 additions and 4 deletions

View File

@ -3609,7 +3609,7 @@ process_actions3() {
dropInvalid)
if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -m state --state INVALID
log_rule_limit ${xlevel%\!} $xchain dropInvalid $2 "" "$xtag" -A -m state --state INVALID
run_iptables -A $xchain -m state --state INVALID -j DROP
fi
;;
@ -5622,12 +5622,13 @@ initialize_netfilter () {
[ -f $accounting_file ] && setup_accounting $accounting_file
#
# Allow DNS lookups during startup for FQDNs and deep-six INVALID packets
# Allow DNS lookups during startup for FQDNs
#
for chain in INPUT OUTPUT FORWARD; do
run_iptables -A $chain -p udp --dport 53 -j ACCEPT
run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
[ -n "$DROPINVALID" ] && \
run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
done
if [ -n "$CLAMPMSS" ]; then
@ -5785,7 +5786,7 @@ add_common_rules() {
network=${host#*:}
for chain in $(first_chains $interface); do
run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) $policy -j smurfs
run_iptables -A $chain -m state --state NEW,INVALID $(match_source_hosts $network) $policy -j smurfs
done
done
fi
@ -7066,6 +7067,7 @@ do_initialize() {
DELAYBLACKLISTLOAD=
LOGTAGONLY=
LOGALLNEW=
DROPINVALID=
RESTOREBASE=
TMP_DIR=
@ -7260,6 +7262,7 @@ do_initialize() {
RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
#
# Strip the files that we use often
#

View File

@ -702,6 +702,41 @@ DYNAMIC_ZONES=No
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
PKTTYPE=Yes
#
# DROP INVALID PACKETS
#
# Netfilter classifies packets relative to its connection tracking table into
# four states:
#
# NEW - thes packet initiates a new connection
# ESTABLISHED - thes packet is part of an established connection
# RELATED - thes packet is related to an established connection; it may
# establish a new connection
# INVALID - the packet does not related to the table in any sensible way.
#
# Recent 2.6 kernels include code that evaluates TCP packets based on TCP
# Window analysis. This can cause packets that were previously classified as
# NEW or ESTABLISHED to be classified as INVALID.
#
# The new kernel code can be disabled by including this command in your
# /etc/shorewall/init file:
#
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
#
# Additional kernel logging about INVALID TCP packets may be obtained by
# adding this command to /etc/shorewall/init:
#
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
#
# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID
# option allows INVALID packets to be passed through the normal rules chains by
# setting DROPINVALID=No.
#
# If not specified or if specified as empty (e.g., DROPINVALID="") then
# DROPINVALID=Yes is assumed.
DROPINVALID=No
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################