From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 2/6] firewall: Don't filter output INVALID packets
Date: Thu, 18 Apr 2024 21:11:40 +0000
Message-ID: <20240418211144.3318938-2-michael.tremer@ipfire.org>
In-Reply-To: <20240418211144.3318938-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1109647118721716931=="
List-Id: <development.lists.ipfire.org>

--===============1109647118721716931==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

This should never cause any problems, but will cause that certain more
complicated featured like SYNPROXY won't work.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/firewall | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index d14466ef0..054d58c01 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -156,7 +156,6 @@ iptables_init() {
 
 	iptables -N CTOUTPUT
 	iptables -A CTOUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-	iptables -A CTOUTPUT -m conntrack --ctstate INVALID -j CTINVALID
 	iptables -A CTOUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
 
 	# Restore any connection marks
-- 
2.39.2


--===============1109647118721716931==--