extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-19 08:07:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Backport 'dropInvalid' from 2.1

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1476 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-07-14 20:08:12 +00:00
parent 4f69a5eddb
commit d9bb6a55e8
6 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
STABLE2/action.Drop
View File

@ -8,6 +8,7 @@
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) LIMIT GROUP
RejectAuth RejectAuth
dropBcast dropBcast
dropInvalid
DropSMB DropSMB
DropUPnP DropUPnP
dropNotSyn dropNotSyn

1
STABLE2/action.Reject
View File

@ -8,6 +8,7 @@
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) LIMIT GROUP
RejectAuth RejectAuth
dropBcast dropBcast
dropInvalid
RejectSMB RejectSMB
DropUPnP DropUPnP
dropNotSyn dropNotSyn

2
STABLE2/actions.std
View File

@ -10,6 +10,8 @@
# logNonSyn #Log Non-syn TCP packets with disposition LOG # logNonSyn #Log Non-syn TCP packets with disposition LOG
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP # dLogNonSyn #Log Non-syn TCP packets with disposition DROP
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT # rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
# dropInvalid #Silently Drop packets that are in the INVALID
# #conntrack state.
# #
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
# shorewall.conf. If that option isn't specified then 'info' is used. # shorewall.conf. If that option isn't specified then 'info' is used.

2
STABLE2/changelog.txt
View File

@ -29,5 +29,5 @@ Change in 2.0.6
3) Don't give shorewall.conf and zones execute permission. 3) Don't give shorewall.conf and zones execute permission.
4) Backport 'dropInvalid' from 2.1

5
STABLE2/firewall
View File

@ -2790,7 +2790,7 @@ createactionchain() # $1 = chain name
process_actions1() { process_actions1() {
ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn" ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid"
USEDACTIONS= USEDACTIONS=
strip_file actions strip_file actions
@ -2973,6 +2973,9 @@ process_actions2() {
dLogNotSyn) dLogNotSyn)
log_action dLogNotSyn DROP log_action dLogNotSyn DROP
;; ;;
dropInvalid)
[ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP
;;
*) *)
f=action.$xaction f=action.$xaction
fn=$(find_file $f) fn=$(find_file $f)

13
STABLE2/releasenotes.txt
View File

@ -23,9 +23,20 @@ Problems Corrected in version 2.0.6
Netfilter failing to match certain broadcast packets. The result Netfilter failing to match certain broadcast packets. The result
is that the firewall log shows a lot of broadcast packets. is that the firewall log shows a lot of broadcast packets.
Users experiencing this problem can use PKTTYPE=No in Other users have complained of the following message when
starting Shorewall:
modprobe: cant locate module ipt_pkttype
Users experiencing either of these problems can use PKTTYPE=No in
shorewall.conf to cause Shorewall to use IP address filtering of shorewall.conf to cause Shorewall to use IP address filtering of
broadcasts rather than packet type. broadcasts rather than packet type.
2) The shorewall.conf and zones file are no longer given execute 2) The shorewall.conf and zones file are no longer given execute
permission by the installer script. permission by the installer script.
3) ICMP packets that are in the INVALID state are now dropped by the
Reject and Drop default actions. They do so using the new
'dropInvalid' builtin action.