forked from extern/shorewall_code
Add DROPINVALID Option
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1806 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
e0b5a86257
commit
7aaabbd85c
@ -3609,7 +3609,7 @@ process_actions3() {
|
||||
dropInvalid)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -m state --state INVALID
|
||||
log_rule_limit ${xlevel%\!} $xchain dropInvalid $2 "" "$xtag" -A -m state --state INVALID
|
||||
run_iptables -A $xchain -m state --state INVALID -j DROP
|
||||
fi
|
||||
;;
|
||||
@ -5622,11 +5622,12 @@ initialize_netfilter () {
|
||||
[ -f $accounting_file ] && setup_accounting $accounting_file
|
||||
|
||||
#
|
||||
# Allow DNS lookups during startup for FQDNs and deep-six INVALID packets
|
||||
# Allow DNS lookups during startup for FQDNs
|
||||
#
|
||||
|
||||
for chain in INPUT OUTPUT FORWARD; do
|
||||
run_iptables -A $chain -p udp --dport 53 -j ACCEPT
|
||||
[ -n "$DROPINVALID" ] && \
|
||||
run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
|
||||
done
|
||||
|
||||
@ -5785,7 +5786,7 @@ add_common_rules() {
|
||||
network=${host#*:}
|
||||
|
||||
for chain in $(first_chains $interface); do
|
||||
run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) $policy -j smurfs
|
||||
run_iptables -A $chain -m state --state NEW,INVALID $(match_source_hosts $network) $policy -j smurfs
|
||||
done
|
||||
done
|
||||
fi
|
||||
@ -7066,6 +7067,7 @@ do_initialize() {
|
||||
DELAYBLACKLISTLOAD=
|
||||
LOGTAGONLY=
|
||||
LOGALLNEW=
|
||||
DROPINVALID=
|
||||
|
||||
RESTOREBASE=
|
||||
TMP_DIR=
|
||||
@ -7260,6 +7262,7 @@ do_initialize() {
|
||||
RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
|
||||
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
|
||||
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
|
||||
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
|
||||
#
|
||||
# Strip the files that we use often
|
||||
#
|
||||
|
@ -702,6 +702,41 @@ DYNAMIC_ZONES=No
|
||||
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
|
||||
|
||||
PKTTYPE=Yes
|
||||
|
||||
#
|
||||
# DROP INVALID PACKETS
|
||||
#
|
||||
# Netfilter classifies packets relative to its connection tracking table into
|
||||
# four states:
|
||||
#
|
||||
# NEW - thes packet initiates a new connection
|
||||
# ESTABLISHED - thes packet is part of an established connection
|
||||
# RELATED - thes packet is related to an established connection; it may
|
||||
# establish a new connection
|
||||
# INVALID - the packet does not related to the table in any sensible way.
|
||||
#
|
||||
# Recent 2.6 kernels include code that evaluates TCP packets based on TCP
|
||||
# Window analysis. This can cause packets that were previously classified as
|
||||
# NEW or ESTABLISHED to be classified as INVALID.
|
||||
#
|
||||
# The new kernel code can be disabled by including this command in your
|
||||
# /etc/shorewall/init file:
|
||||
#
|
||||
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
|
||||
#
|
||||
# Additional kernel logging about INVALID TCP packets may be obtained by
|
||||
# adding this command to /etc/shorewall/init:
|
||||
#
|
||||
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
|
||||
#
|
||||
# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID
|
||||
# option allows INVALID packets to be passed through the normal rules chains by
|
||||
# setting DROPINVALID=No.
|
||||
#
|
||||
# If not specified or if specified as empty (e.g., DROPINVALID="") then
|
||||
# DROPINVALID=Yes is assumed.
|
||||
|
||||
DROPINVALID=No
|
||||
################################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
################################################################################
|
||||
|
Loading…
Reference in New Issue
Block a user