[01/11] firewall: Log packets dropped due to conntrack INVALID state

Message ID f011f4d0-0bef-9f02-6e78-8af0ac947db6@ipfire.org
State Accepted
Commit 0e7bfb1343d28069acfbaacb957cd199f8ead099
Series firewall: Introduce DROP_HOSTILE and improve spoofing logging/protection |

Commit Message

Peter Müller Dec. 18, 2021, 1:47 p.m. UTC
  In case of faulty connection tracking, this ensures such packets are
logged, to make analysing network incidents less troublesome. Since
NewNotSYN is handled before, where logging can be turned off for systems
running on weak flash devices, the amount of log messages emitted here
should be neglectible.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 src/initscripts/system/firewall | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)


diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 75ea8abdf..49c6b7bf9 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -110,7 +110,7 @@  iptables_init() {
 	# Connection tracking chains
 	iptables -N CONNTRACK
 	iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
-	iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP
+	iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP
 	iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT
 	# Restore any connection marks
@@ -136,7 +136,7 @@  iptables_init() {
 	iptables -A INPUT -j P2PBLOCK
 	iptables -A FORWARD -j P2PBLOCK
 	iptables -A OUTPUT -j P2PBLOCK
 	# IPS (Guardian) chains
 	iptables -N GUARDIAN
 	iptables -A INPUT -j GUARDIAN
@@ -265,7 +265,7 @@  iptables_init() {
 	iptables -A INPUT -j TOR_INPUT
 	iptables -N TOR_OUTPUT
 	iptables -A OUTPUT -j TOR_OUTPUT
 	# Jump into the actual firewall ruleset.
 	iptables -N INPUTFW
 	iptables -A INPUT -j INPUTFW