forked from extern/shorewall_code
Add DROPINVALID Option
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1806 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
e0b5a86257
commit
7aaabbd85c
@ -3609,7 +3609,7 @@ process_actions3() {
|
|||||||
dropInvalid)
|
dropInvalid)
|
||||||
if [ "$COMMAND" != check ]; then
|
if [ "$COMMAND" != check ]; then
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -m state --state INVALID
|
log_rule_limit ${xlevel%\!} $xchain dropInvalid $2 "" "$xtag" -A -m state --state INVALID
|
||||||
run_iptables -A $xchain -m state --state INVALID -j DROP
|
run_iptables -A $xchain -m state --state INVALID -j DROP
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
@ -5622,12 +5622,13 @@ initialize_netfilter () {
|
|||||||
[ -f $accounting_file ] && setup_accounting $accounting_file
|
[ -f $accounting_file ] && setup_accounting $accounting_file
|
||||||
|
|
||||||
#
|
#
|
||||||
# Allow DNS lookups during startup for FQDNs and deep-six INVALID packets
|
# Allow DNS lookups during startup for FQDNs
|
||||||
#
|
#
|
||||||
|
|
||||||
for chain in INPUT OUTPUT FORWARD; do
|
for chain in INPUT OUTPUT FORWARD; do
|
||||||
run_iptables -A $chain -p udp --dport 53 -j ACCEPT
|
run_iptables -A $chain -p udp --dport 53 -j ACCEPT
|
||||||
run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
|
[ -n "$DROPINVALID" ] && \
|
||||||
|
run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ -n "$CLAMPMSS" ]; then
|
if [ -n "$CLAMPMSS" ]; then
|
||||||
@ -5785,7 +5786,7 @@ add_common_rules() {
|
|||||||
network=${host#*:}
|
network=${host#*:}
|
||||||
|
|
||||||
for chain in $(first_chains $interface); do
|
for chain in $(first_chains $interface); do
|
||||||
run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) $policy -j smurfs
|
run_iptables -A $chain -m state --state NEW,INVALID $(match_source_hosts $network) $policy -j smurfs
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
@ -7066,6 +7067,7 @@ do_initialize() {
|
|||||||
DELAYBLACKLISTLOAD=
|
DELAYBLACKLISTLOAD=
|
||||||
LOGTAGONLY=
|
LOGTAGONLY=
|
||||||
LOGALLNEW=
|
LOGALLNEW=
|
||||||
|
DROPINVALID=
|
||||||
|
|
||||||
RESTOREBASE=
|
RESTOREBASE=
|
||||||
TMP_DIR=
|
TMP_DIR=
|
||||||
@ -7260,6 +7262,7 @@ do_initialize() {
|
|||||||
RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
|
RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
|
||||||
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
|
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
|
||||||
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
|
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
|
||||||
|
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
|
||||||
#
|
#
|
||||||
# Strip the files that we use often
|
# Strip the files that we use often
|
||||||
#
|
#
|
||||||
|
@ -702,6 +702,41 @@ DYNAMIC_ZONES=No
|
|||||||
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
|
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
|
||||||
|
|
||||||
PKTTYPE=Yes
|
PKTTYPE=Yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# DROP INVALID PACKETS
|
||||||
|
#
|
||||||
|
# Netfilter classifies packets relative to its connection tracking table into
|
||||||
|
# four states:
|
||||||
|
#
|
||||||
|
# NEW - thes packet initiates a new connection
|
||||||
|
# ESTABLISHED - thes packet is part of an established connection
|
||||||
|
# RELATED - thes packet is related to an established connection; it may
|
||||||
|
# establish a new connection
|
||||||
|
# INVALID - the packet does not related to the table in any sensible way.
|
||||||
|
#
|
||||||
|
# Recent 2.6 kernels include code that evaluates TCP packets based on TCP
|
||||||
|
# Window analysis. This can cause packets that were previously classified as
|
||||||
|
# NEW or ESTABLISHED to be classified as INVALID.
|
||||||
|
#
|
||||||
|
# The new kernel code can be disabled by including this command in your
|
||||||
|
# /etc/shorewall/init file:
|
||||||
|
#
|
||||||
|
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
|
||||||
|
#
|
||||||
|
# Additional kernel logging about INVALID TCP packets may be obtained by
|
||||||
|
# adding this command to /etc/shorewall/init:
|
||||||
|
#
|
||||||
|
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
|
||||||
|
#
|
||||||
|
# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID
|
||||||
|
# option allows INVALID packets to be passed through the normal rules chains by
|
||||||
|
# setting DROPINVALID=No.
|
||||||
|
#
|
||||||
|
# If not specified or if specified as empty (e.g., DROPINVALID="") then
|
||||||
|
# DROPINVALID=Yes is assumed.
|
||||||
|
|
||||||
|
DROPINVALID=No
|
||||||
################################################################################
|
################################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
################################################################################
|
################################################################################
|
||||||
|
Loading…
Reference in New Issue
Block a user