From bb4652cdf762c7c092dad2c66b87e0af76516e74 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 7 Dec 2004 16:31:48 +0000 Subject: [PATCH] Document DROPINVALID git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1810 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 2 ++ Shorewall2/releasenotes.txt | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 8b787a315..5dc90c512 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -174,3 +174,5 @@ Changes since 2.0.3 85) Continue determining capabilities when fooX1234 already exists. 86) Corrected typo in interfaces file. + +97) Add DROPINVALID option. diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index eba745f4e..620326bdd 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -785,3 +785,24 @@ New Features: exceeded the specified rate was silently dropped. Now, if a log level is given in the entry (LEVEL column) then drops are logged at that level at a rate of 5/min with a burst of 5. + +35) Recent 2.6 kernels include code that evaluates TCP packets based on + TCP Window analysis. This can cause packets that were previously + classified as NEW or ESTABLISHED to be classified as INVALID. + + The new kernel code can be disabled by including this command in + your /etc/shorewall/init file: + + echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal + + Additional kernel logging about INVALID TCP packets may be + obtained by adding this command to /etc/shorewall/init: + + echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid + + Traditionally, Shorewall has dropped INVALID TCP packets early. The + new DROPINVALID option allows INVALID packets to be passed through + the normal rules chains by setting DROPINVALID=No. + + If not specified or if specified as empty (e.g., DROPINVALID="") + then DROPINVALID=Yes is assumed.