Add DROPINVALID Option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1806 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-12-07 00:46:46 +00:00
parent e0b5a86257
commit 7aaabbd85c
2 changed files with 42 additions and 4 deletions

View File

@ -3609,7 +3609,7 @@ process_actions3() {
dropInvalid) dropInvalid)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -m state --state INVALID log_rule_limit ${xlevel%\!} $xchain dropInvalid $2 "" "$xtag" -A -m state --state INVALID
run_iptables -A $xchain -m state --state INVALID -j DROP run_iptables -A $xchain -m state --state INVALID -j DROP
fi fi
;; ;;
@ -5622,11 +5622,12 @@ initialize_netfilter () {
[ -f $accounting_file ] && setup_accounting $accounting_file [ -f $accounting_file ] && setup_accounting $accounting_file
# #
# Allow DNS lookups during startup for FQDNs and deep-six INVALID packets # Allow DNS lookups during startup for FQDNs
# #
for chain in INPUT OUTPUT FORWARD; do for chain in INPUT OUTPUT FORWARD; do
run_iptables -A $chain -p udp --dport 53 -j ACCEPT run_iptables -A $chain -p udp --dport 53 -j ACCEPT
[ -n "$DROPINVALID" ] && \
run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
done done
@ -5785,7 +5786,7 @@ add_common_rules() {
network=${host#*:} network=${host#*:}
for chain in $(first_chains $interface); do for chain in $(first_chains $interface); do
run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) $policy -j smurfs run_iptables -A $chain -m state --state NEW,INVALID $(match_source_hosts $network) $policy -j smurfs
done done
done done
fi fi
@ -7066,6 +7067,7 @@ do_initialize() {
DELAYBLACKLISTLOAD= DELAYBLACKLISTLOAD=
LOGTAGONLY= LOGTAGONLY=
LOGALLNEW= LOGALLNEW=
DROPINVALID=
RESTOREBASE= RESTOREBASE=
TMP_DIR= TMP_DIR=
@ -7260,6 +7262,7 @@ do_initialize() {
RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES) RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
# #
# Strip the files that we use often # Strip the files that we use often
# #

View File

@ -702,6 +702,41 @@ DYNAMIC_ZONES=No
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed. # or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
PKTTYPE=Yes PKTTYPE=Yes
#
# DROP INVALID PACKETS
#
# Netfilter classifies packets relative to its connection tracking table into
# four states:
#
# NEW - thes packet initiates a new connection
# ESTABLISHED - thes packet is part of an established connection
# RELATED - thes packet is related to an established connection; it may
# establish a new connection
# INVALID - the packet does not related to the table in any sensible way.
#
# Recent 2.6 kernels include code that evaluates TCP packets based on TCP
# Window analysis. This can cause packets that were previously classified as
# NEW or ESTABLISHED to be classified as INVALID.
#
# The new kernel code can be disabled by including this command in your
# /etc/shorewall/init file:
#
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
#
# Additional kernel logging about INVALID TCP packets may be obtained by
# adding this command to /etc/shorewall/init:
#
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
#
# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID
# option allows INVALID packets to be passed through the normal rules chains by
# setting DROPINVALID=No.
#
# If not specified or if specified as empty (e.g., DROPINVALID="") then
# DROPINVALID=Yes is assumed.
DROPINVALID=No
################################################################################ ################################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
################################################################################ ################################################################################