Shorewall 2.0.16

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1934 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-02-01 23:53:23 +00:00 · 2005-02-01 23:53:23 +00:00 · f5aea0ea03
commit f5aea0ea03
parent 839964351c
8 changed files with 53 additions and 9 deletions
--- a/Lrp2/etc/shorewall/shorewall.conf
+++ b/Lrp2/etc/shorewall/shorewall.conf
@ -622,6 +622,41 @@ DYNAMIC_ZONES=No
 # (PKTTYPE="") then PKTTYPE=Yes is assumed.
 PKTTYPE=Yes
 #
 # DROP INVALID PACKETS
 #
 # Netfilter classifies packets relative to its connection tracking table into
 # four states:
 #
 #	NEW - thes packet initiates a new connection
 #	ESTABLISHED - thes packet is part of an established connection
 #	RELATED - thes packet is related to an established connection; it may
 #	          establish a new connection
 #	INVALID - the packet does not related to the table in any sensible way.
 #
 # Recent 2.6 kernels include code that evaluates TCP packets based on TCP 
 # Window analysis. This can cause packets that were previously classified as 
 # NEW or ESTABLISHED to be classified as INVALID.
 #
 # The new kernel code can be disabled by including this command in your
 # /etc/shorewall/init file:
 #
 # echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
 #
 # Additional kernel logging about INVALID TCP packets may be obtained by
 # adding this command to /etc/shorewall/init:
 #
 #  echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
 #
 # Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID
 # option allows INVALID packets to be passed through the normal rules chains by
 # setting DROPINVALID=No.
 #
 # If not specified or if specified as empty (e.g., DROPINVALID="") then
 # DROPINVALID=Yes is assumed.
 DROPINVALID=No
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################
--- a/Lrp2/usr/share/shorewall/actions.std
+++ b/Lrp2/usr/share/shorewall/actions.std
@ -9,9 +9,11 @@
 #    rejNonSyn          #Silently Reject Non-syn TCP packets
 #    logNonSyn          #Log Non-syn TCP packets with disposition LOG
 #    dLogNonSyn         #Log Non-syn TCP packets with disposition DROP
-#    rLogNonSyn          #Log Non-syn TCP packets with disposition REJECT
+#    rLogNonSyn         #Log Non-syn TCP packets with disposition REJECT
 #    dropInvalid	#Silently Drop packets that are in the INVALID
 #                       #conntrack state.
 #    allowInvalid       #Accept packets that are in the INVALID conntrack
 #                       #state
 #
 # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
 # shorewall.conf. If that option isn't specified then 'info' is used.
--- a/Lrp2/usr/share/shorewall/firewall
+++ b/Lrp2/usr/share/shorewall/firewall
@ -2807,7 +2807,7 @@ createactionchain() # $1 = chain name
 process_actions1() {
-    ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid"
+    ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid allowInvalid"
    USEDACTIONS=
    strip_file actions
@ -2952,6 +2952,9 @@ process_actions2() {
 	    dropInvalid)
 		[ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP
 		;;
 	    allowInvalid)
 		[ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j ACCEPT
 		;;
 	    *)
 		f=action.$xaction
 		fn=$(find_file $f)
@ -4831,7 +4834,8 @@ initialize_netfilter () {
    for chain in INPUT OUTPUT FORWARD; do
 	run_iptables -A $chain -p udp --dport 53 -j ACCEPT
-	run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
+	[ -n "$DROPINVALID" ] && \
 	    run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
    done
    [ -n "$CLAMPMSS" ] && \
@ -6061,6 +6065,7 @@ do_initialize() {
    BRIDGING=
    DYNAMIC_ZONES=
    PKTTYPE=
    DROPINVALID=
    RESTOREBASE=
    TMP_DIR=
@ -6234,7 +6239,7 @@ do_initialize() {
    BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
    DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
    PKTTYPE=$(added_param_value_yes PKTTYPE $PKTTYPE)
-
+    DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
    #
    # Strip the files that we use often
    #
--- a/Lrp2/usr/share/shorewall/version
+++ b/Lrp2/usr/share/shorewall/version
@ -1 +1 @@
-2.0.15
+2.0.16
--- a/STABLE2/fallback.sh
+++ b/STABLE2/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=2.0.15
+VERSION=2.0.16
 usage() # $1 = exit status
 {
--- a/STABLE2/install.sh
+++ b/STABLE2/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
-VERSION=2.0.15
+VERSION=2.0.16
 usage() # $1 = exit status
 {
--- a/STABLE2/shorewall.spec
+++ b/STABLE2/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 2.0.15
+%define version 2.0.16
 %define release 1
 %define prefix /usr
@ -141,6 +141,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Tue Feb 01 2005 Tom Eastep tom@shorewall.net
 - Updated to 2.0.16-1
 * Wed Jan 12 2005 Tom Eastep tom@shorewall.net
 - Updated to 2.0.15-1
 * Mon Jan 03 2005 Tom Eastep tom@shorewall.net
--- a/STABLE2/uninstall.sh
+++ b/STABLE2/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=2.0.15
+VERSION=2.0.16
 usage() # $1 = exit status
 {