extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Reword desciption of NEWNOTSYN

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@793 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-11-28 17:39:53 +00:00
parent 9fde389c31
commit f9c596a465
3 changed files with 29 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Shorewall/changelog.txt
View File

@ -9,3 +9,6 @@ Changes since 1.4.8
4) Move ip_forward handling to a function. 4) Move ip_forward handling to a function.
5) Change 'norfc1918' logging to log out of chains named 'rfc1918'. 5) Change 'norfc1918' logging to log out of chains named 'rfc1918'.
5) Reword the description of NEWNOTSYN in shorewall.conf.

3
Shorewall/releasenotes.txt
View File

@ -7,6 +7,9 @@ Problems Corrected since version 1.4.8:
instances of "Static NAT" have been replaced with "One-to-one NAT" instances of "Static NAT" have been replaced with "One-to-one NAT"
in the documentation and configuration files. in the documentation and configuration files.
2) The description of NEWNOTSYN in shorewall.conf has been reworded for
clarity.
Migration Issues: Migration Issues:
None. None.

29
Shorewall/shorewall.conf
View File

@ -417,13 +417,30 @@ MUTEX_TIMEOUT=60
# #
# NEWNOTSYN # NEWNOTSYN
# #
# If this variable is set to "No" or "no", then when a TCP packet that does # TCP connections are established using the familiar three-way "handshake":
# not have the SYN flag set and the ACK and RST flags clear then unless the
# packet is part of an established connection, it will be dropped by the
# firewall
# #
# If this variable is set to "Yes" or "yes" then such packets will not be # CLIENT SERVER
# dropped but will pass through the normal rule processing. #
# SYN-------------------->
# <------------------SYN,ACK
# ACK-------------------->
#
# The first packet in that exchange (packet with the SYN flag on and the ACK
# and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
# A packet is said to be NEW if it is not part of or related to an already
# established connection.
#
# The NETNOTSYN option determines the handling of non-SYN packets (those with
# SYN off or with ACK or RST on) that are not associated with an already
# established connection.
#
# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
# part of an already established connection, it will be dropped by the
# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
# logged before they are dropped.
#
# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be
# dropped but will pass through the normal rule/policy processing.
# #
# Users with a High-availability setup with two firewall's and one acting # Users with a High-availability setup with two firewall's and one acting
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may # as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may