This release back-ports the DROPINVALID shorewall.conf option from 2.2.0.
1) Recent 2.6 kernels include code that evaluates TCP packets based on
TCP Window analysis. This can cause packets that were previously
classified as NEW or ESTABLISHED to be classified as INVALID.
The new kernel code can be disabled by including this command in
your /etc/shorewall/init file:
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
Additional kernel logging about INVALID TCP packets may be
obtained by adding this command to /etc/shorewall/init:
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
Traditionally, Shorewall has dropped INVALID TCP packets early. The
new DROPINVALID option allows INVALID packets to be passed through
the normal rules chains by setting DROPINVALID=No.
If not specified or if specified as empty (e.g., DROPINVALID="")
then DROPINVALID=Yes is assumed.
http://shorewall.net/pub/shorewall/2.0/shorewall-2.0.16
ftp://shorewall.net/pub/shorewall/2.0/shorewall-2.0.16
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> This release back-ports the DROPINVALID shorewall.conf option from 2.2.0. > > 1) Recent 2.6 kernels include code that evaluates TCP packets based on > TCP Window analysis. This can cause packets that were previously > classified as NEW or ESTABLISHED to be classified as INVALID. > > The new kernel code can be disabled by including this command in > your /etc/shorewall/init file: > > echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal > > Additional kernel logging about INVALID TCP packets may be > obtained by adding this command to /etc/shorewall/init: > > echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid > > Traditionally, Shorewall has dropped INVALID TCP packets early. The > new DROPINVALID option allows INVALID packets to be passed through > the normal rules chains by setting DROPINVALID=No. > > If not specified or if specified as empty (e.g., DROPINVALID="") > then DROPINVALID=Yes is assumed. > > http://shorewall.net/pub/shorewall/2.0/shorewall-2.0.16 > ftp://shorewall.net/pub/shorewall/2.0/shorewall-2.0.16 > > -TomMandrake packages at http://www.monkeynoodle.org/comp/net/shorewall -- Jack at Monkeynoodle dot Org: It''s a Scientific Venture... Riding the Emergency Third Rail Power Trip since 1996!