extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-19 17:28:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

Drop INVALID state packets; rate limit NEWNOTSYN logging

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@495 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-03-10 00:41:39 +00:00
parent 4b74dc43a3
commit 7fab125525
3 changed files with 10 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -58,3 +58,5 @@ Changes since 1.3.14
26. Remove unused function find_interface_broadcasts() 26. Remove unused function find_interface_broadcasts()
27. Remove stale comments in the params file. 27. Remove stale comments in the params file.
28. Silently drop INVALID state packets

4
Shorewall/common.def
View File

@ -14,10 +14,6 @@
# #
run_iptables -A common -p icmp -j icmpdef run_iptables -A common -p icmp -j icmpdef
############################################################################ ############################################################################
# Drop invalid state TCP packets
#
run_iptables -A common -m state -p tcp --state INVALID -j DROP
############################################################################
# NETBIOS chatter # NETBIOS chatter
# #
run_iptables -A common -p udp --dport 137:139 -j REJECT run_iptables -A common -p udp --dport 137:139 -j REJECT

17
Shorewall/firewall
View File

@ -3167,15 +3167,14 @@ initialize_netfilter () {
setcontinue INPUT setcontinue INPUT
setcontinue OUTPUT setcontinue OUTPUT
# #
# Allow DNS lookups during startup for FQDNs # Allow DNS lookups during startup for FQDNs and deep-six INVALID packets
# #
run_iptables -A INPUT -p udp --dport 53 -j ACCEPT # I suppose that there
# is an idiot somewhere
# who needs this strip_file nat
run_iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT
for chain in INPUT OUTPUT FORWARD; do
run_iptables -A $chain -p udp --dport 53 -j ACCEPT
run_iptables -A $chain -m state --state INVALID -j DROP
done
[ -n "$CLAMPMSS" ] && \ [ -n "$CLAMPMSS" ] && \
run_iptables -A FORWARD -p tcp \ run_iptables -A FORWARD -p tcp \
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
@ -3186,10 +3185,10 @@ initialize_netfilter () {
run_user_exit newnotsyn run_user_exit newnotsyn
if [ -n "$LOGNEWNOTSYN" ]; then if [ -n "$LOGNEWNOTSYN" ]; then
if [ "$LOGNEWNOTSYN" = ULOG ]; then if [ "$LOGNEWNOTSYN" = ULOG ]; then
run_iptables -A newnotsyn -j ULOG run_iptables -A newnotsyn -j ULOG $LOGPARMS \
--ulog-prefix "Shorewall:newnotsyn:DROP:" --ulog-prefix "Shorewall:newnotsyn:DROP:"
else else
run_iptables -A newnotsyn -j LOG \ run_iptables -A newnotsyn -j LOG $LOGPARMS \
--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN --log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
fi fi
fi fi