From d58c3ac29efddb545eaac56603051931f40bdf50 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sun, 9 Jun 2002 16:30:52 +0000
Subject: [PATCH] Include workaround for ICMP bug in firewall script.

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@61 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/common.def | 7 ++++++-
 Shorewall/firewall   | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/Shorewall/common.def b/Shorewall/common.def
index dd25169a0..e070a3101 100644
--- a/Shorewall/common.def
+++ b/Shorewall/common.def
@@ -14,8 +14,13 @@
 #
 run_iptables -A common -p icmp -j icmpdef
 ############################################################################
+# Drop invalid state TCP packets
+#
+run_iptables -A common -m state -p tcp --state INVALID -j DROP
+############################################################################
 # accept ACKs and RSTs that aren't related to any session so that the 
-# protocol stack can handle them
+# protocol stack can handle them and so the ACKs can create connection 
+# tracking entries.
 #
 run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
 run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
diff --git a/Shorewall/firewall b/Shorewall/firewall
index af89570a6..fd8aa790f 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -2707,7 +2707,7 @@ add_common_rules() {
     ############################################################################
     # Enable icmp output
     #
-    run_iptables -A OUTPUT -p icmp -j ACCEPT
+    run_iptables -A OUTPUT -m state --state ! INVALID -p icmp -j ACCEPT
 
     for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
 	echo 0 > $f