From 7fab125525d5e5a6cda983c2dc9fdeaedfb484cd Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Mon, 10 Mar 2003 00:41:39 +0000
Subject: [PATCH] Drop INVALID state packets; rate limit NEWNOTSYN logging

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@495 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/changelog.txt |  2 ++
 Shorewall/common.def    |  4 ----
 Shorewall/firewall      | 17 ++++++++---------
 3 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 714ccd08a..f9a7c15f7 100755
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -58,3 +58,5 @@ Changes since 1.3.14
 26. Remove unused function find_interface_broadcasts()
 
 27. Remove stale comments in the params file.
+
+28. Silently drop INVALID state packets
diff --git a/Shorewall/common.def b/Shorewall/common.def
index dfa0d3204..7cf8676d7 100644
--- a/Shorewall/common.def
+++ b/Shorewall/common.def
@@ -14,10 +14,6 @@
 #
 run_iptables -A common -p icmp -j icmpdef
 ############################################################################
-# Drop invalid state TCP packets
-#
-run_iptables -A common -m state -p tcp --state INVALID -j DROP
-############################################################################
 # NETBIOS chatter
 #
 run_iptables -A common -p udp --dport 137:139     -j REJECT
diff --git a/Shorewall/firewall b/Shorewall/firewall
index c88dbc7e3..31acd38c0 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -3167,15 +3167,14 @@ initialize_netfilter () {
     setcontinue INPUT
     setcontinue OUTPUT
     #
-    # Allow DNS lookups during startup for FQDNs
+    # Allow DNS lookups during startup for FQDNs and deep-six INVALID packets
     #
-    run_iptables -A INPUT   -p udp --dport 53 -j ACCEPT # I suppose that there
-                                                        # is an idiot somewhere
-                                                        # who needs this    strip_file nat
-
-    run_iptables -A OUTPUT  -p udp --dport 53 -j ACCEPT
-    run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT
 
+    for chain in INPUT OUTPUT FORWARD; do
+	run_iptables -A $chain -p udp --dport 53 -j ACCEPT
+	run_iptables -A $chain -m state --state INVALID -j DROP
+    done
+    
     [ -n "$CLAMPMSS" ] && \
 	run_iptables -A FORWARD -p tcp \
 	    --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
@@ -3186,10 +3185,10 @@ initialize_netfilter () {
 	run_user_exit newnotsyn
 	if [ -n "$LOGNEWNOTSYN" ]; then
 	    if [ "$LOGNEWNOTSYN" = ULOG ]; then
-		run_iptables -A newnotsyn -j ULOG
+		run_iptables -A newnotsyn -j ULOG $LOGPARMS \
 		    --ulog-prefix "Shorewall:newnotsyn:DROP:"
 	    else
-		run_iptables -A newnotsyn -j LOG \
+		run_iptables -A newnotsyn -j LOG $LOGPARMS \
 		    --log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
 	    fi
 	fi