NEWNOTSYN option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@216 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-08 22:58:50 +01:00 · 2002-08-23 18:51:55 +00:00 · 2002-08-23 18:51:55 +00:00 · 8f4ff3306e
commit 8f4ff3306e
parent cda5cb1d53
2 changed files with 31 additions and 7 deletions
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -200,7 +200,8 @@ createchain() # $1 = chain name, $2 = If non-null, don't create default rules
 	state="ESTABLISHED"
 	[ -n "$ALLOWRELATED" ] && state="$state,RELATED"
 	run_iptables -A $1 -m state --state $state -j ACCEPT
-	run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn
+	[ -z "$NEWNOTSYN" ] && \
+	    run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn
    fi

    eval ${1}_exists=Yes
@ -2726,12 +2727,14 @@ initialize_netfilter () {
 	    --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

    
-    createchain newnotsyn no
-    run_user_exit newnotsyn
-    [ -n "$LOGNEWNOTSYN" ] && \
-	run_iptables -A newnotsyn -j LOG \
-	--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
-    run_iptables -A newnotsyn -j DROP	
+    if [ -z "$NEWNOTSYN" ]; then
+	createchain newnotsyn no
+	run_user_exit newnotsyn
+	[ -n "$LOGNEWNOTSYN" ] && \
+	    run_iptables -A newnotsyn -j LOG \
+	    --log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
+	run_iptables -A newnotsyn -j DROP
+    fi	

    createchain icmpdef no
    createchain common	no
@ -3408,6 +3411,7 @@ do_initialize() {
    DETECT_DNAT_IPADDRS=
    MERGE_HOSTS=
    MUTEX_TIMEOUT=
+    NEWNOTSYN=
    LOGNEWNOTSYN=
    FORWARDPING=
    stopping=
@ -3487,6 +3491,7 @@ do_initialize() {
    DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
    MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
    FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
+    NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
 }

 ################################################################################
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@ -339,6 +339,8 @@ MUTEX_TIMEOUT=60
 #
 # LOGGING 'New not SYN' rejects
 #
+# This variable only has an effect when NEWNOTSYN=No (see below).
+#
 # When a TCP packet that does not have the SYN flag set and the ACK and RST
 # flags clear then unless the packet is part of an established connection,
 # it will be rejected by the firewall. If you want these rejects logged, 
@ -357,4 +359,21 @@ LOGNEWNOTSYN=

 FORWARDPING=Yes

+#
+# NEWNOTSYN
+#
+# If this variable is set to "No" or "no", then When a TCP packet that does
+# not have the SYN flag set and the ACK and RST flags clear then unless the
+# packet is part of an established connection, it will be rejected by the
+# firewall
+#
+# If this variable is set to "Yes" or "yes" then such packets will not be
+# rejected but will pass through the normal rule processing.
+#
+# Users with a High-availability setup with two firewall's and one acting
+# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
+# also need to select NEWNOTSYN=Yes.
+ 
+NEWNOTSYN=No
+
 #LAST LINE -- DO NOT REMOVE