From 7e8cc67013047dbf9198a59caac18f73e945e56e Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Thu, 27 May 2004 16:27:50 +0000
Subject: [PATCH] Fix for 'newnotsyn'

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1361 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall2/actions.std      |  1 +
 Shorewall2/changelog.txt    |  2 ++
 Shorewall2/firewall         | 11 +++++++----
 Shorewall2/releasenotes.txt |  5 ++++-
 4 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/Shorewall2/actions.std b/Shorewall2/actions.std
index 2e9fbab99..955d3691a 100644
--- a/Shorewall2/actions.std
+++ b/Shorewall2/actions.std
@@ -6,6 +6,7 @@
 #
 #    dropBcast          #Silently Drop Broadcast/multicast
 #    dropNonSyn         #Silently Drop Non-syn TCP packets
+#    rejectNonSyn       #Silently Reject Non-syn TCP packets
 #
 #ACTION
 
diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt
index 2eae4d535..0071d0f1a 100644
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@@ -15,3 +15,5 @@ Changes since 2.0.2
 6) Add lots of overhead to [re]start in order to catch typing errors.
 
 7) Correct reporting of installation directory in install.sh.
+
+8) Added the 'rejectNonSyn' standard built-in action.
diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 792a9f67f..e938558ca 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -2764,6 +2764,10 @@ process_actions1() {
 
 	    createchain dropNonSyn no
 	    run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
+
+	    createchain RejectNonSyn no
+	    run_iptables -A rejectNonSyn -p tcp ! --syn -j REJECT --reject-with tcp-reset
+
 	fi
 
 	ACTIONS="dropBcast dropNonSyn"
@@ -4791,10 +4795,9 @@ initialize_netfilter () {
 	createchain newnotsyn no
 
 	for interface in $(find_interfaces_by_option newnotsyn); do
-	    run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags ACK ACK -j ACCEPT
-	    run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags RST RST -j ACCEPT
-	    run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags FIN FIN -j ACCEPT
-	    run_iptables -A newnotsyn -i $interface -j RETURN
+	    run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags ACK ACK -j RETURN
+	    run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags RST RST -j RETURN
+	    run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags FIN FIN -j RETURN
 	done
 
 	run_user_exit newnotsyn
diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt
index 996405533..0316cce95 100755
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@@ -27,7 +27,7 @@ Problems Corrected since 2.0.2
 Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
 
 None.
-
+-----------------------------------------------------------------------
 New Features:
 
 1) "!" is now allowed in accounting rules.
@@ -38,4 +38,7 @@ New Features:
    match the name of an entry in /etc/shorewall/interfaces or the name
    of a bridge port appearing in /etc/shorewall/hosts).
 
+3) A new 'rejectNonSyn' built-in standard action has been added. This
+   action responds to "New not SYN" packets with an RST.
+