diff --git a/Lrp2/etc/shorewall/shorewall.conf b/Lrp2/etc/shorewall/shorewall.conf index 42a149412..c11134f14 100755 --- a/Lrp2/etc/shorewall/shorewall.conf +++ b/Lrp2/etc/shorewall/shorewall.conf @@ -622,6 +622,41 @@ DYNAMIC_ZONES=No # (PKTTYPE="") then PKTTYPE=Yes is assumed. PKTTYPE=Yes + +# +# DROP INVALID PACKETS +# +# Netfilter classifies packets relative to its connection tracking table into +# four states: +# +# NEW - thes packet initiates a new connection +# ESTABLISHED - thes packet is part of an established connection +# RELATED - thes packet is related to an established connection; it may +# establish a new connection +# INVALID - the packet does not related to the table in any sensible way. +# +# Recent 2.6 kernels include code that evaluates TCP packets based on TCP +# Window analysis. This can cause packets that were previously classified as +# NEW or ESTABLISHED to be classified as INVALID. +# +# The new kernel code can be disabled by including this command in your +# /etc/shorewall/init file: +# +# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal +# +# Additional kernel logging about INVALID TCP packets may be obtained by +# adding this command to /etc/shorewall/init: +# +# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid +# +# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID +# option allows INVALID packets to be passed through the normal rules chains by +# setting DROPINVALID=No. +# +# If not specified or if specified as empty (e.g., DROPINVALID="") then +# DROPINVALID=Yes is assumed. + +DROPINVALID=No ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################ diff --git a/Lrp2/usr/share/shorewall/actions.std b/Lrp2/usr/share/shorewall/actions.std index 99515bd83..89f9ad504 100644 --- a/Lrp2/usr/share/shorewall/actions.std +++ b/Lrp2/usr/share/shorewall/actions.std @@ -9,9 +9,11 @@ # rejNonSyn #Silently Reject Non-syn TCP packets # logNonSyn #Log Non-syn TCP packets with disposition LOG # dLogNonSyn #Log Non-syn TCP packets with disposition DROP -# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT +# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT # dropInvalid #Silently Drop packets that are in the INVALID # #conntrack state. +# allowInvalid #Accept packets that are in the INVALID conntrack +# #state # # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in # shorewall.conf. If that option isn't specified then 'info' is used. diff --git a/Lrp2/usr/share/shorewall/firewall b/Lrp2/usr/share/shorewall/firewall index 2685ed83e..ae564c8f4 100755 --- a/Lrp2/usr/share/shorewall/firewall +++ b/Lrp2/usr/share/shorewall/firewall @@ -2807,7 +2807,7 @@ createactionchain() # $1 = chain name process_actions1() { - ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid" + ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid allowInvalid" USEDACTIONS= strip_file actions @@ -2952,6 +2952,9 @@ process_actions2() { dropInvalid) [ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP ;; + allowInvalid) + [ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j ACCEPT + ;; *) f=action.$xaction fn=$(find_file $f) @@ -4831,7 +4834,8 @@ initialize_netfilter () { for chain in INPUT OUTPUT FORWARD; do run_iptables -A $chain -p udp --dport 53 -j ACCEPT - run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP + [ -n "$DROPINVALID" ] && \ + run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP done [ -n "$CLAMPMSS" ] && \ @@ -6061,6 +6065,7 @@ do_initialize() { BRIDGING= DYNAMIC_ZONES= PKTTYPE= + DROPINVALID= RESTOREBASE= TMP_DIR= @@ -6234,7 +6239,7 @@ do_initialize() { BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) PKTTYPE=$(added_param_value_yes PKTTYPE $PKTTYPE) - + DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) # # Strip the files that we use often # diff --git a/Lrp2/usr/share/shorewall/version b/Lrp2/usr/share/shorewall/version index b8061b50d..a14da2902 100644 --- a/Lrp2/usr/share/shorewall/version +++ b/Lrp2/usr/share/shorewall/version @@ -1 +1 @@ -2.0.15 +2.0.16 diff --git a/STABLE2/fallback.sh b/STABLE2/fallback.sh index f1c46352c..8fe84b6b6 100755 --- a/STABLE2/fallback.sh +++ b/STABLE2/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=2.0.15 +VERSION=2.0.16 usage() # $1 = exit status { diff --git a/STABLE2/install.sh b/STABLE2/install.sh index 30e0cf524..eab116a69 100755 --- a/STABLE2/install.sh +++ b/STABLE2/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=2.0.15 +VERSION=2.0.16 usage() # $1 = exit status { diff --git a/STABLE2/shorewall.spec b/STABLE2/shorewall.spec index 35e86f744..4babd73e2 100644 --- a/STABLE2/shorewall.spec +++ b/STABLE2/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 2.0.15 +%define version 2.0.16 %define release 1 %define prefix /usr @@ -141,6 +141,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Tue Feb 01 2005 Tom Eastep tom@shorewall.net +- Updated to 2.0.16-1 * Wed Jan 12 2005 Tom Eastep tom@shorewall.net - Updated to 2.0.15-1 * Mon Jan 03 2005 Tom Eastep tom@shorewall.net diff --git a/STABLE2/uninstall.sh b/STABLE2/uninstall.sh index 7c2cbe080..fa30c12fa 100755 --- a/STABLE2/uninstall.sh +++ b/STABLE2/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=2.0.15 +VERSION=2.0.16 usage() # $1 = exit status {