Fixes: #12778
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- src/initscripts/system/firewall | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index fc355cd5d..2f4b4e30e 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -119,9 +119,13 @@ iptables_init() { iptables -A FORWARD -p tcp -j BADTCP
# Connection tracking chains + iptables -N CTINVALID + iptables -A CTINVALID -m limit --limit 10/second -j LOG --log-prefix "DROP_CTINVALID " + iptables -A CTINVALID -j DROP -m comment --comment "DROP_CTINVALID" + iptables -N CONNTRACK iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT - iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP + iptables -A CONNTRACK -m conntrack --ctstate INVALID -j CTINVALID iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT
# Restore any connection marks
Hi Peter,
i ack that this fixes the empty loglines but i have seen an other problem with dropping all "invalid" packets. The ICMP reject messages if something is not allowed has --ctstate INVALID and should processed.
Also i miss a switch to disable the logging.
Arne
Am 2022-02-17 21:16, schrieb Peter Müller:
Fixes: #12778
Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index fc355cd5d..2f4b4e30e 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -119,9 +119,13 @@ iptables_init() { iptables -A FORWARD -p tcp -j BADTCP
# Connection tracking chains
- iptables -N CTINVALID
- iptables -A CTINVALID -m limit --limit 10/second -j LOG
--log-prefix "DROP_CTINVALID "
- iptables -A CTINVALID -j DROP -m comment --comment "DROP_CTINVALID"
- iptables -N CONNTRACK iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
- iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP
- iptables -A CONNTRACK -m conntrack --ctstate INVALID -j CTINVALID iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j
ACCEPT
# Restore any connection marks
Hello Arne,
On 18 Feb 2022, at 06:57, Arne Fitzenreiter arne_f@ipfire.org wrote:
Hi Peter,
i ack that this fixes the empty loglines but i have seen an other problem with dropping all "invalid" packets. The ICMP reject messages if something is not allowed has --ctstate INVALID and should processed.
No this is correct. Peter’s patches are not changing this behaviour. We have been dropping those packets since forever.
Peter’s patches only add that we log them now which might be helpful finding any networking problems.
Also i miss a switch to disable the logging.
Why?
-Michael
Arne
Am 2022-02-17 21:16, schrieb Peter Müller:
Fixes: #12778 Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index fc355cd5d..2f4b4e30e 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -119,9 +119,13 @@ iptables_init() { iptables -A FORWARD -p tcp -j BADTCP # Connection tracking chains
- iptables -N CTINVALID
- iptables -A CTINVALID -m limit --limit 10/second -j LOG
--log-prefix "DROP_CTINVALID "
- iptables -A CTINVALID -j DROP -m comment --comment "DROP_CTINVALID"
- iptables -N CONNTRACK iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
- iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP
- iptables -A CONNTRACK -m conntrack --ctstate INVALID -j CTINVALID iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT # Restore any connection marks