Shorewall 2.0.16

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1934 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-02-01 23:53:23 +00:00 · 2005-02-01 23:53:23 +00:00 · f5aea0ea03
commit f5aea0ea03
parent 839964351c
8 changed files with 53 additions and 9 deletions
--- a/Lrp2/etc/shorewall/shorewall.conf
+++ b/Lrp2/etc/shorewall/shorewall.conf
@ -622,6 +622,41 @@ DYNAMIC_ZONES=No
 # (PKTTYPE="") then PKTTYPE=Yes is assumed.

 PKTTYPE=Yes
+
+#
+# DROP INVALID PACKETS
+#
+# Netfilter classifies packets relative to its connection tracking table into
+# four states:
+#
+#	NEW - thes packet initiates a new connection
+#	ESTABLISHED - thes packet is part of an established connection
+#	RELATED - thes packet is related to an established connection; it may
+#	          establish a new connection
+#	INVALID - the packet does not related to the table in any sensible way.
+#
+# Recent 2.6 kernels include code that evaluates TCP packets based on TCP 
+# Window analysis. This can cause packets that were previously classified as 
+# NEW or ESTABLISHED to be classified as INVALID.
+#
+# The new kernel code can be disabled by including this command in your
+# /etc/shorewall/init file:
+#
+# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
+#
+# Additional kernel logging about INVALID TCP packets may be obtained by
+# adding this command to /etc/shorewall/init:
+#
+#  echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
+#
+# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID
+# option allows INVALID packets to be passed through the normal rules chains by
+# setting DROPINVALID=No.
+#
+# If not specified or if specified as empty (e.g., DROPINVALID="") then
+# DROPINVALID=Yes is assumed.
+
+DROPINVALID=No
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################
--- a/Lrp2/usr/share/shorewall/actions.std
+++ b/Lrp2/usr/share/shorewall/actions.std
@ -9,9 +9,11 @@
 #    rejNonSyn          #Silently Reject Non-syn TCP packets
 #    logNonSyn          #Log Non-syn TCP packets with disposition LOG
 #    dLogNonSyn         #Log Non-syn TCP packets with disposition DROP
-#    rLogNonSyn          #Log Non-syn TCP packets with disposition REJECT
+#    rLogNonSyn         #Log Non-syn TCP packets with disposition REJECT
 #    dropInvalid	#Silently Drop packets that are in the INVALID
 #                       #conntrack state.
+#    allowInvalid       #Accept packets that are in the INVALID conntrack
+#                       #state
 #
 # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
 # shorewall.conf. If that option isn't specified then 'info' is used.
--- a/Lrp2/usr/share/shorewall/firewall
+++ b/Lrp2/usr/share/shorewall/firewall
@ -2807,7 +2807,7 @@ createactionchain() # $1 = chain name

 process_actions1() {
 	
-    ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid"
+    ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid allowInvalid"
    USEDACTIONS=

    strip_file actions
@ -2952,6 +2952,9 @@ process_actions2() {
 	    dropInvalid)
 		[ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP
 		;;
+	    allowInvalid)
+		[ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j ACCEPT
+		;;
 	    *)
 		f=action.$xaction
 		fn=$(find_file $f)
@ -4831,7 +4834,8 @@ initialize_netfilter () {

    for chain in INPUT OUTPUT FORWARD; do
 	run_iptables -A $chain -p udp --dport 53 -j ACCEPT
-	run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
+	[ -n "$DROPINVALID" ] && \
+	    run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
    done

    [ -n "$CLAMPMSS" ] && \
@ -6061,6 +6065,7 @@ do_initialize() {
    BRIDGING=
    DYNAMIC_ZONES=
    PKTTYPE=
+    DROPINVALID=
    RESTOREBASE=
    TMP_DIR=

@ -6234,7 +6239,7 @@ do_initialize() {
    BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
    DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
    PKTTYPE=$(added_param_value_yes PKTTYPE $PKTTYPE)
-
+    DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
    #
    # Strip the files that we use often
    #
--- a/Lrp2/usr/share/shorewall/version
+++ b/Lrp2/usr/share/shorewall/version
@ -1 +1 @@
-2.0.15
+2.0.16
--- a/STABLE2/fallback.sh
+++ b/STABLE2/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.

-VERSION=2.0.15
+VERSION=2.0.16

 usage() # $1 = exit status
 {
--- a/STABLE2/install.sh
+++ b/STABLE2/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #

-VERSION=2.0.15
+VERSION=2.0.16

 usage() # $1 = exit status
 {
--- a/STABLE2/shorewall.spec
+++ b/STABLE2/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 2.0.15
+%define version 2.0.16
 %define release 1
 %define prefix /usr

@ -141,6 +141,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel

 %changelog
+* Tue Feb 01 2005 Tom Eastep tom@shorewall.net
+- Updated to 2.0.16-1
 * Wed Jan 12 2005 Tom Eastep tom@shorewall.net
 - Updated to 2.0.15-1
 * Mon Jan 03 2005 Tom Eastep tom@shorewall.net
--- a/STABLE2/uninstall.sh
+++ b/STABLE2/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall

-VERSION=2.0.15
+VERSION=2.0.16

 usage() # $1 = exit status
 {
 @ -1 +1 @@
 .0.15
 .0.16