Drop INVALID state packets; rate limit NEWNOTSYN logging

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@495 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-03-10 00:41:39 +00:00 · 2003-03-10 00:41:39 +00:00 · 7fab125525
commit 7fab125525
parent 4b74dc43a3
3 changed files with 10 additions and 13 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -58,3 +58,5 @@ Changes since 1.3.14
 26. Remove unused function find_interface_broadcasts()

 27. Remove stale comments in the params file.
+
+28. Silently drop INVALID state packets
--- a/Shorewall/common.def
+++ b/Shorewall/common.def
@ -14,10 +14,6 @@
 #
 run_iptables -A common -p icmp -j icmpdef
 ############################################################################
-# Drop invalid state TCP packets
-#
-run_iptables -A common -m state -p tcp --state INVALID -j DROP
-############################################################################
 # NETBIOS chatter
 #
 run_iptables -A common -p udp --dport 137:139     -j REJECT
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -3167,14 +3167,13 @@ initialize_netfilter () {
    setcontinue INPUT
    setcontinue OUTPUT
    #
-    # Allow DNS lookups during startup for FQDNs
+    # Allow DNS lookups during startup for FQDNs and deep-six INVALID packets
    #
-    run_iptables -A INPUT   -p udp --dport 53 -j ACCEPT # I suppose that there
-                                                        # is an idiot somewhere
-                                                        # who needs this    strip_file nat

-    run_iptables -A OUTPUT  -p udp --dport 53 -j ACCEPT
-    run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT
+    for chain in INPUT OUTPUT FORWARD; do
+	run_iptables -A $chain -p udp --dport 53 -j ACCEPT
+	run_iptables -A $chain -m state --state INVALID -j DROP
+    done
    
    [ -n "$CLAMPMSS" ] && \
 	run_iptables -A FORWARD -p tcp \
@ -3186,10 +3185,10 @@ initialize_netfilter () {
 	run_user_exit newnotsyn
 	if [ -n "$LOGNEWNOTSYN" ]; then
 	    if [ "$LOGNEWNOTSYN" = ULOG ]; then
-		run_iptables -A newnotsyn -j ULOG
+		run_iptables -A newnotsyn -j ULOG $LOGPARMS \
 		    --ulog-prefix "Shorewall:newnotsyn:DROP:"
 	    else
-		run_iptables -A newnotsyn -j LOG \
+		run_iptables -A newnotsyn -j LOG $LOGPARMS \
 		    --log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
 	    fi
 	fi