[Firehol-support] FIREHOL_DROP_ORPHAN_TCP_ACK_FIN
Costa Tsaousis
costa at tsaousis.gr
Sat Dec 8 10:39:41 GMT 2007
Daniel Goering wrote:
> Hi,
>
> as I wrote last time it works well for me with the removed keywords. But
> now I have some packet drops on an interface with accept policy.
> May be it would be nice to check not only if
> FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is set but also if the policy for this
> interface is really DROP.
>
> Cheers
> Daniel
>
>
Daniel,
I have moved the two instances of the check in close_interface() and
close_router() just a few lines above, in the case statement, so that
they are applied only when the policy is not RETURN or ACCEPT.
in now looks like this:
...
case "${work_policy}" in
return|RETURN)
return 0
;;
accept|ACCEPT)
;;
*)
# THIS BLOCK WAS BELLOW THE 'case - esac'
if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
then
# Silently drop orphan TCP/ACK FIN packets
rule chain "in_${work_name}" proto tcp
custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
rule reverse chain "out_${work_name}"
proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || ret$
fi
local -a inlog=(loglimit "'IN-${work_name}'")
local -a outlog=(loglimit "'OUT-${work_name}'")
;;
esac
...
Could you please check it?
Costa
More information about the Firehol-support
mailing list