mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-24 23:28:59 +01:00
Document DROPINVALID
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1810 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
40a8fc5103
commit
bb4652cdf7
@ -174,3 +174,5 @@ Changes since 2.0.3
|
||||
85) Continue determining capabilities when fooX1234 already exists.
|
||||
|
||||
86) Corrected typo in interfaces file.
|
||||
|
||||
97) Add DROPINVALID option.
|
||||
|
@ -785,3 +785,24 @@ New Features:
|
||||
exceeded the specified rate was silently dropped. Now, if a log
|
||||
level is given in the entry (LEVEL column) then drops are logged at
|
||||
that level at a rate of 5/min with a burst of 5.
|
||||
|
||||
35) Recent 2.6 kernels include code that evaluates TCP packets based on
|
||||
TCP Window analysis. This can cause packets that were previously
|
||||
classified as NEW or ESTABLISHED to be classified as INVALID.
|
||||
|
||||
The new kernel code can be disabled by including this command in
|
||||
your /etc/shorewall/init file:
|
||||
|
||||
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
|
||||
|
||||
Additional kernel logging about INVALID TCP packets may be
|
||||
obtained by adding this command to /etc/shorewall/init:
|
||||
|
||||
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
|
||||
|
||||
Traditionally, Shorewall has dropped INVALID TCP packets early. The
|
||||
new DROPINVALID option allows INVALID packets to be passed through
|
||||
the normal rules chains by setting DROPINVALID=No.
|
||||
|
||||
If not specified or if specified as empty (e.g., DROPINVALID="")
|
||||
then DROPINVALID=Yes is assumed.
|
||||
|
Loading…
Reference in New Issue
Block a user