Hi Peter,

i ack that this fixes the empty loglines but i have seen an other 
problem with dropping all "invalid" packets.
The ICMP reject messages if something is not allowed has --ctstate 
INVALID and should processed.

Also i miss a switch to disable the logging.

Arne


Am 2022-02-17 21:16, schrieb Peter Müller:
> Fixes: #12778
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
>  src/initscripts/system/firewall | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/src/initscripts/system/firewall 
> b/src/initscripts/system/firewall
> index fc355cd5d..2f4b4e30e 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -119,9 +119,13 @@ iptables_init() {
>  	iptables -A FORWARD -p tcp -j BADTCP
> 
>  	# Connection tracking chains
> +	iptables -N CTINVALID
> +	iptables -A CTINVALID  -m limit --limit 10/second -j LOG
> --log-prefix "DROP_CTINVALID "
> +	iptables -A CTINVALID  -j DROP -m comment --comment "DROP_CTINVALID"
> +
>  	iptables -N CONNTRACK
>  	iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -	iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP
> +	iptables -A CONNTRACK -m conntrack --ctstate INVALID -j CTINVALID
>  	iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j 
> ACCEPT
> 
>  	# Restore any connection marks