Guy Marcenac
2003-Sep-22 10:33 UTC
[Shorewall-users] drop or not newnotsyn by protocol/port
Hello, Is it possible to decide to allow/drop new not syn packets according to the protocol and/or the port number ? In other words, is it possible to specify the newnotsyn criteria at the rule level (AFAIK it''s only possible to select it at the interface level) ? -- guy
On Mon, 2003-09-22 at 10:32, Guy Marcenac wrote:> Hello, > Is it possible to decide to allow/drop new not syn packets according to the > protocol and/or the port number ? > In other words, is it possible to specify the newnotsyn criteria at the rule > level (AFAIK it''s only possible to select it at the interface level) ?You can create the file /etc/shorewall/netnotsyn and modify the ''netnotsyn'' chain any way that you choose. I personally use this file: ----------------------------------------------- #!/bin/sh for interface in `find_interfaces_by_option newnotsyn`; do run_iptables -D newnotsyn -i $interface -p tcp --tcp-flags ACK ACK -j ACCEPT run_iptables -D newnotsyn -i $interface -p tcp --tcp-flags RST RST -j ACCEPT run_iptables -D newnotsyn -i $interface -p tcp --tcp-flags FIN FIN -j ACCEPT done run_iptables -A newnotsyn -p tcp --tcp-flags ACK ACK -j ACCEPT run_iptables -A newnotsyn -p tcp --tcp-flags RST RST -j ACCEPT run_iptables -A newnotsyn -p tcp --tcp-flags FIN FIN -j ACCEPT ----------------------------------------------------------------------- My file has the effect of allowing ACK, RST and FIN packets on all interfaces and not just those with the ''newnotsyn'' option. For those protocols/ports that you want to accept NEWNOTSYN packets, I recommend that you use the RETURN rule target so that the packets will still be subject to the normal /etc/shorewall/rules processing. -Tom -- Nothing is foolproof to a sufficiently talented fool