diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 0a9194287..144576629 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -9,3 +9,6 @@ Changes since 1.4.8 4) Move ip_forward handling to a function. 5) Change 'norfc1918' logging to log out of chains named 'rfc1918'. + +5) Reword the description of NEWNOTSYN in shorewall.conf. + diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 180c171e5..6f774e8a1 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -7,6 +7,9 @@ Problems Corrected since version 1.4.8: instances of "Static NAT" have been replaced with "One-to-one NAT" in the documentation and configuration files. +2) The description of NEWNOTSYN in shorewall.conf has been reworded for + clarity. + Migration Issues: None. diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index 548914232..c0261c645 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -417,13 +417,30 @@ MUTEX_TIMEOUT=60 # # NEWNOTSYN # -# If this variable is set to "No" or "no", then when a TCP packet that does -# not have the SYN flag set and the ACK and RST flags clear then unless the -# packet is part of an established connection, it will be dropped by the -# firewall +# TCP connections are established using the familiar three-way "handshake": # -# If this variable is set to "Yes" or "yes" then such packets will not be -# dropped but will pass through the normal rule processing. +# CLIENT SERVER +# +# SYN--------------------> +# <------------------SYN,ACK +# ACK--------------------> +# +# The first packet in that exchange (packet with the SYN flag on and the ACK +# and RST flags off) is referred to in Netfilter terminology as a "syn" packet. +# A packet is said to be NEW if it is not part of or related to an already +# established connection. +# +# The NETNOTSYN option determines the handling of non-SYN packets (those with +# SYN off or with ACK or RST on) that are not associated with an already +# established connection. +# +# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not +# part of an already established connection, it will be dropped by the +# firewall. The setting of LOGNEWNOTSYN above determines if these packets are +# logged before they are dropped. +# +# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be +# dropped but will pass through the normal rule/policy processing. # # Users with a High-availability setup with two firewall's and one acting # as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may