diff --git a/STABLE2/actions.std b/STABLE2/actions.std index 99515bd83..89f9ad504 100644 --- a/STABLE2/actions.std +++ b/STABLE2/actions.std @@ -9,9 +9,11 @@ # rejNonSyn #Silently Reject Non-syn TCP packets # logNonSyn #Log Non-syn TCP packets with disposition LOG # dLogNonSyn #Log Non-syn TCP packets with disposition DROP -# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT +# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT # dropInvalid #Silently Drop packets that are in the INVALID # #conntrack state. +# allowInvalid #Accept packets that are in the INVALID conntrack +# #state # # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in # shorewall.conf. If that option isn't specified then 'info' is used. diff --git a/STABLE2/changelog.txt b/STABLE2/changelog.txt index 81c2f0fdb..a149cc9d3 100644 --- a/STABLE2/changelog.txt +++ b/STABLE2/changelog.txt @@ -115,3 +115,7 @@ Changes in 2.0.15 1) Increased port range for Traceroute. 2) Corrected port of rate-limit logging change. + +Changes in 2.0.16 + +1) Backport DROPINVALID from 2.2.0. diff --git a/STABLE2/firewall b/STABLE2/firewall index 2685ed83e..ae564c8f4 100755 --- a/STABLE2/firewall +++ b/STABLE2/firewall @@ -2807,7 +2807,7 @@ createactionchain() # $1 = chain name process_actions1() { - ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid" + ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid allowInvalid" USEDACTIONS= strip_file actions @@ -2952,6 +2952,9 @@ process_actions2() { dropInvalid) [ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP ;; + allowInvalid) + [ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j ACCEPT + ;; *) f=action.$xaction fn=$(find_file $f) @@ -4831,7 +4834,8 @@ initialize_netfilter () { for chain in INPUT OUTPUT FORWARD; do run_iptables -A $chain -p udp --dport 53 -j ACCEPT - run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP + [ -n "$DROPINVALID" ] && \ + run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP done [ -n "$CLAMPMSS" ] && \ @@ -6061,6 +6065,7 @@ do_initialize() { BRIDGING= DYNAMIC_ZONES= PKTTYPE= + DROPINVALID= RESTOREBASE= TMP_DIR= @@ -6234,7 +6239,7 @@ do_initialize() { BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) PKTTYPE=$(added_param_value_yes PKTTYPE $PKTTYPE) - + DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) # # Strip the files that we use often # diff --git a/STABLE2/releasenotes.txt b/STABLE2/releasenotes.txt index 9c1e2b717..4642131c2 100644 --- a/STABLE2/releasenotes.txt +++ b/STABLE2/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 2.0.15 +Shorewall 2.0.16 ---------------------------------------------------------------------- Problems Corrected in version 2.0.4 @@ -276,3 +276,26 @@ Problems corrected in 2.0.15 Bad argument `DROP' Try `iptables -h' or 'iptables --help' for more information. +----------------------------------------------------------------------- +New Features in 2.0.16 + +1) Recent 2.6 kernels include code that evaluates TCP packets based on + TCP Window analysis. This can cause packets that were previously + classified as NEW or ESTABLISHED to be classified as INVALID. + + The new kernel code can be disabled by including this command in + your /etc/shorewall/init file: + + echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal + + Additional kernel logging about INVALID TCP packets may be + obtained by adding this command to /etc/shorewall/init: + + echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid + + Traditionally, Shorewall has dropped INVALID TCP packets early. The + new DROPINVALID option allows INVALID packets to be passed through + the normal rules chains by setting DROPINVALID=No. + + If not specified or if specified as empty (e.g., DROPINVALID="") + then DROPINVALID=Yes is assumed. diff --git a/STABLE2/shorewall.conf b/STABLE2/shorewall.conf index b5b6bcf4d..c5b4a0656 100644 --- a/STABLE2/shorewall.conf +++ b/STABLE2/shorewall.conf @@ -620,6 +620,41 @@ DYNAMIC_ZONES=No # (PKTTYPE="") then PKTTYPE=Yes is assumed. PKTTYPE=Yes + +# +# DROP INVALID PACKETS +# +# Netfilter classifies packets relative to its connection tracking table into +# four states: +# +# NEW - thes packet initiates a new connection +# ESTABLISHED - thes packet is part of an established connection +# RELATED - thes packet is related to an established connection; it may +# establish a new connection +# INVALID - the packet does not related to the table in any sensible way. +# +# Recent 2.6 kernels include code that evaluates TCP packets based on TCP +# Window analysis. This can cause packets that were previously classified as +# NEW or ESTABLISHED to be classified as INVALID. +# +# The new kernel code can be disabled by including this command in your +# /etc/shorewall/init file: +# +# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal +# +# Additional kernel logging about INVALID TCP packets may be obtained by +# adding this command to /etc/shorewall/init: +# +# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid +# +# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID +# option allows INVALID packets to be passed through the normal rules chains by +# setting DROPINVALID=No. +# +# If not specified or if specified as empty (e.g., DROPINVALID="") then +# DROPINVALID=Yes is assumed. + +DROPINVALID=No ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################