Fix for 'newnotsyn'

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1361 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-19 17:28:35 +02:00 · 2004-05-27 16:27:50 +00:00 · 2004-05-27 16:27:50 +00:00 · 7e8cc67013
commit 7e8cc67013
parent fbb6a21ab0
4 changed files with 14 additions and 5 deletions
--- a/Shorewall2/actions.std
+++ b/Shorewall2/actions.std
@ -6,6 +6,7 @@
 #
 #    dropBcast          #Silently Drop Broadcast/multicast
 #    dropNonSyn         #Silently Drop Non-syn TCP packets
+#    rejectNonSyn       #Silently Reject Non-syn TCP packets
 #
 #ACTION

--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -15,3 +15,5 @@ Changes since 2.0.2
 6) Add lots of overhead to [re]start in order to catch typing errors.

 7) Correct reporting of installation directory in install.sh.
+
+8) Added the 'rejectNonSyn' standard built-in action.
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -2764,6 +2764,10 @@ process_actions1() {

 	    createchain dropNonSyn no
 	    run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
+
+	    createchain RejectNonSyn no
+	    run_iptables -A rejectNonSyn -p tcp ! --syn -j REJECT --reject-with tcp-reset
+
 	fi

 	ACTIONS="dropBcast dropNonSyn"
@ -4791,10 +4795,9 @@ initialize_netfilter () {
 	createchain newnotsyn no

 	for interface in $(find_interfaces_by_option newnotsyn); do
-	    run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags ACK ACK -j ACCEPT
-	    run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags RST RST -j ACCEPT
-	    run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags FIN FIN -j ACCEPT
-	    run_iptables -A newnotsyn -i $interface -j RETURN
+	    run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags ACK ACK -j RETURN
+	    run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags RST RST -j RETURN
+	    run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags FIN FIN -j RETURN
 	done

 	run_user_exit newnotsyn
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -27,7 +27,7 @@ Problems Corrected since 2.0.2
 Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:

 None.
-
+-----------------------------------------------------------------------
 New Features:

 1) "!" is now allowed in accounting rules.
@ -38,4 +38,7 @@ New Features:
   match the name of an entry in /etc/shorewall/interfaces or the name
   of a bridge port appearing in /etc/shorewall/hosts).

+3) A new 'rejectNonSyn' built-in standard action has been added. This
+   action responds to "New not SYN" packets with an RST.
+