From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH 01/11] firewall: Log packets dropped due to conntrack INVALID state Date: Sat, 18 Dec 2021 14:47:25 +0100 Message-ID: In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3920594796210909018==" List-Id: --===============3920594796210909018== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit In case of faulty connection tracking, this ensures such packets are logged, to make analysing network incidents less troublesome. Since NewNotSYN is handled before, where logging can be turned off for systems running on weak flash devices, the amount of log messages emitted here should be neglectible. Signed-off-by: Peter Müller --- src/initscripts/system/firewall | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 75ea8abdf..49c6b7bf9 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -110,7 +110,7 @@ iptables_init() { # Connection tracking chains iptables -N CONNTRACK iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT - iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP + iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT # Restore any connection marks @@ -136,7 +136,7 @@ iptables_init() { iptables -A INPUT -j P2PBLOCK iptables -A FORWARD -j P2PBLOCK iptables -A OUTPUT -j P2PBLOCK - + # IPS (Guardian) chains iptables -N GUARDIAN iptables -A INPUT -j GUARDIAN @@ -265,7 +265,7 @@ iptables_init() { iptables -A INPUT -j TOR_INPUT iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT - + # Jump into the actual firewall ruleset. iptables -N INPUTFW iptables -A INPUT -j INPUTFW -- 2.26.2 --===============3920594796210909018==--