forked from extern/shorewall_code
Implemented 'newnotsyn' interface option
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@596 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
170c3df6c4
commit
027e5fcd0f
@ -1,3 +1,5 @@
|
|||||||
Changes since 1.4.5
|
Changes since 1.4.5
|
||||||
|
|
||||||
1) Worked around RH7.3 "service" anomaly.
|
1) Worked around RH7.3 "service" anomaly.
|
||||||
|
|
||||||
|
2) Implemented 'newnotsyn' interface option.
|
||||||
|
@ -607,7 +607,7 @@ validate_interfaces_file() {
|
|||||||
|
|
||||||
for option in $options; do
|
for option in $options; do
|
||||||
case $option in
|
case $option in
|
||||||
dhcp|norfc1918|tcpflags)
|
dhcp|norfc1918|tcpflags|newnotsyn)
|
||||||
;;
|
;;
|
||||||
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
|
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
|
||||||
;;
|
;;
|
||||||
@ -3306,7 +3306,13 @@ initialize_netfilter () {
|
|||||||
|
|
||||||
if [ -z "$NEWNOTSYN" ]; then
|
if [ -z "$NEWNOTSYN" ]; then
|
||||||
createchain newnotsyn no
|
createchain newnotsyn no
|
||||||
|
|
||||||
|
for interface in `find_interfaces_by_option newnotsyn`; do
|
||||||
|
run_iptables -A newnotsyn -i $interface -j RETURN
|
||||||
|
done
|
||||||
|
|
||||||
run_user_exit newnotsyn
|
run_user_exit newnotsyn
|
||||||
|
|
||||||
if [ -n "$LOGNEWNOTSYN" ]; then
|
if [ -n "$LOGNEWNOTSYN" ]; then
|
||||||
log_rule $LOGNEWNOTSYN newnotsyn DROP
|
log_rule $LOGNEWNOTSYN newnotsyn DROP
|
||||||
fi
|
fi
|
||||||
|
@ -89,6 +89,13 @@
|
|||||||
# sub-networking as described at:
|
# sub-networking as described at:
|
||||||
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
|
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
|
||||||
#
|
#
|
||||||
|
# newnotsyn - TCP packets that don't have the SYN
|
||||||
|
# flag set and which are not part of an
|
||||||
|
# established connection will be accepted
|
||||||
|
# from this interface, even if
|
||||||
|
# NEWNOTSYN=No has been specified in
|
||||||
|
# /etc/shorewall/shorewall.conf.
|
||||||
|
#
|
||||||
# The order in which you list the options is not
|
# The order in which you list the options is not
|
||||||
# significant but the list should have no embedded white
|
# significant but the list should have no embedded white
|
||||||
# space.
|
# space.
|
||||||
|
@ -8,3 +8,6 @@ Problems Corrected:
|
|||||||
|
|
||||||
New Features:
|
New Features:
|
||||||
|
|
||||||
|
1) A 'newnotsyn' interface option has been added. This option may be
|
||||||
|
specified in /etc/shorewall/interfaces and overrides the setting
|
||||||
|
NEWNOTSYN=No for packets arriving on the associated interface.
|
||||||
|
Loading…
Reference in New Issue
Block a user