diff --git a/Shorewall2/firewall b/Shorewall2/firewall index e60a51520..98adc3403 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -3609,7 +3609,7 @@ process_actions3() { dropInvalid) if [ "$COMMAND" != check ]; then [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -m state --state INVALID + log_rule_limit ${xlevel%\!} $xchain dropInvalid $2 "" "$xtag" -A -m state --state INVALID run_iptables -A $xchain -m state --state INVALID -j DROP fi ;; @@ -5622,12 +5622,13 @@ initialize_netfilter () { [ -f $accounting_file ] && setup_accounting $accounting_file # - # Allow DNS lookups during startup for FQDNs and deep-six INVALID packets + # Allow DNS lookups during startup for FQDNs # for chain in INPUT OUTPUT FORWARD; do run_iptables -A $chain -p udp --dport 53 -j ACCEPT - run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP + [ -n "$DROPINVALID" ] && \ + run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP done if [ -n "$CLAMPMSS" ]; then @@ -5785,7 +5786,7 @@ add_common_rules() { network=${host#*:} for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) $policy -j smurfs + run_iptables -A $chain -m state --state NEW,INVALID $(match_source_hosts $network) $policy -j smurfs done done fi @@ -7066,6 +7067,7 @@ do_initialize() { DELAYBLACKLISTLOAD= LOGTAGONLY= LOGALLNEW= + DROPINVALID= RESTOREBASE= TMP_DIR= @@ -7260,6 +7262,7 @@ do_initialize() { RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES) DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) + DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) # # Strip the files that we use often # diff --git a/Shorewall2/shorewall.conf b/Shorewall2/shorewall.conf index f51ef8c6e..e0610ad90 100755 --- a/Shorewall2/shorewall.conf +++ b/Shorewall2/shorewall.conf @@ -702,6 +702,41 @@ DYNAMIC_ZONES=No # or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed. PKTTYPE=Yes + +# +# DROP INVALID PACKETS +# +# Netfilter classifies packets relative to its connection tracking table into +# four states: +# +# NEW - thes packet initiates a new connection +# ESTABLISHED - thes packet is part of an established connection +# RELATED - thes packet is related to an established connection; it may +# establish a new connection +# INVALID - the packet does not related to the table in any sensible way. +# +# Recent 2.6 kernels include code that evaluates TCP packets based on TCP +# Window analysis. This can cause packets that were previously classified as +# NEW or ESTABLISHED to be classified as INVALID. +# +# The new kernel code can be disabled by including this command in your +# /etc/shorewall/init file: +# +# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal +# +# Additional kernel logging about INVALID TCP packets may be obtained by +# adding this command to /etc/shorewall/init: +# +# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid +# +# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID +# option allows INVALID packets to be passed through the normal rules chains by +# setting DROPINVALID=No. +# +# If not specified or if specified as empty (e.g., DROPINVALID="") then +# DROPINVALID=Yes is assumed. + +DROPINVALID=No ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################