mirror of
https://github.com/firehol/firehol.git
synced 2024-06-28 18:02:33 +00:00
allow DROP_INVALID with any action (e.g. REJECT)
This commit is contained in:
parent
08ee50c2a0
commit
b776394cde
11
sbin/firehol
11
sbin/firehol
@ -409,6 +409,9 @@ FIREHOL_DROP_INVALID=1
|
|||||||
# Default: 1
|
# Default: 1
|
||||||
FIREHOL_LOG_DROP_INVALID=1
|
FIREHOL_LOG_DROP_INVALID=1
|
||||||
|
|
||||||
|
# the action to be performed when we drop INVALID packets
|
||||||
|
FIREHOL_DROP_INVALID_ACTION="DROP"
|
||||||
|
|
||||||
# If set to 1, FireHOL will silently drop orphan TCP packets with ACK,FIN set.
|
# If set to 1, FireHOL will silently drop orphan TCP packets with ACK,FIN set.
|
||||||
# In modern kernels, the connection tracker detects closed sockets
|
# In modern kernels, the connection tracker detects closed sockets
|
||||||
# and removes them from memory before receiving the FIN,ACK from the remote
|
# and removes them from memory before receiving the FIN,ACK from the remote
|
||||||
@ -5640,9 +5643,9 @@ protection() {
|
|||||||
invalid)
|
invalid)
|
||||||
if [ "${FIREHOL_DROP_INVALID}" -eq 0 ]
|
if [ "${FIREHOL_DROP_INVALID}" -eq 0 ]
|
||||||
then
|
then
|
||||||
set_work_function "Rules for dropping invalid packets on '${prface}' for ${work_cmd} '${work_name}'"
|
set_work_function "Rules to ${FIREHOL_DROP_INVALID_ACTION} invalid packets on '${prface}' for ${work_cmd} '${work_name}'"
|
||||||
|
|
||||||
rule in chain "${in}_${work_name}" state INVALID action drop || return 1
|
rule in chain "${in}_${work_name}" state INVALID action ${FIREHOL_DROP_INVALID_ACTION} || return 1
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
|
||||||
@ -11838,9 +11841,9 @@ firewall_filtering_policy_common_late() {
|
|||||||
|
|
||||||
if [ ${FIREHOL_LOG_DROP_INVALID} -eq 1 ]
|
if [ ${FIREHOL_LOG_DROP_INVALID} -eq 1 ]
|
||||||
then
|
then
|
||||||
rule table filter chain ${iptables_chain} state INVALID action DROP loglimit "BLOCKED INVALID ${iptables_chain}"
|
rule table filter chain ${iptables_chain} state INVALID action ${FIREHOL_DROP_INVALID_ACTION} loglimit "${FIREHOL_DROP_INVALID_ACTION} INVALID ${iptables_chain}"
|
||||||
else
|
else
|
||||||
${iptables_cmd} -t filter -A ${iptables_chain} -m conntrack --ctstate INVALID -j DROP
|
rule table filter chain ${iptables_chain} state INVALID action ${FIREHOL_DROP_INVALID_ACTION}
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user