From patchwork Sat Dec 18 13:47:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4924 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JGRxG2GyGz3wtM for ; Sat, 18 Dec 2021 13:47:30 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JGRxF6SLHz1F4; Sat, 18 Dec 2021 13:47:29 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JGRxF634Rz2ysF; Sat, 18 Dec 2021 13:47:29 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JGRxD2PXjz2xXd for ; Sat, 18 Dec 2021 13:47:28 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JGRxC1JDzznC for ; Sat, 18 Dec 2021 13:47:26 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1639835247; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ApxN+JciJpuy6gpfFXsat5eInXVqMp2GllWQXsGEwZE=; b=sOorwl8MboBJcHCeceplWX/LV4t4YNMFTjOCP+xJmeO0i0ZHpGSTncx5TNdgXhwZTdeiXV g1c+qp/rlGvt9aBg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1639835247; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ApxN+JciJpuy6gpfFXsat5eInXVqMp2GllWQXsGEwZE=; b=JsPM2WaIIbm4EdlpuFg+cgbKRh5sghsvcyy5NrVjpgN4XowHX/J6gZ06+3CjDjgPppCk84 0UZry2AF0TmE+JyT+oGXqDMomY2AxAh27GMo5vRz9d5+oy2G6IXc+jxLQIY17OW3VpEWfa iLkrCaiwxyD/YFlLzaBMYH+YEUqtQzyJf2nrwu84hoUjYx/BZkVUXtY9K3MAuiI1cpOJ8z xtpdv5DhrUKcEjGNfe5SQpNyNOTl0/RdrpFrJBSEjkEHyjLL8kQyDPq7WPeo2yhOb0p5F9 ayVXuoOgsBVMaw00jsXt5DLCvzkjxL9xEaasn+VHMQV8oiyPYzUF28WCOhy01Q== Subject: [PATCH 01/11] firewall: Log packets dropped due to conntrack INVALID state To: development@lists.ipfire.org References: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: Date: Sat, 18 Dec 2021 14:47:25 +0100 MIME-Version: 1.0 In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" In case of faulty connection tracking, this ensures such packets are logged, to make analysing network incidents less troublesome. Since NewNotSYN is handled before, where logging can be turned off for systems running on weak flash devices, the amount of log messages emitted here should be neglectible. Signed-off-by: Peter Müller --- src/initscripts/system/firewall | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 75ea8abdf..49c6b7bf9 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -110,7 +110,7 @@ iptables_init() { # Connection tracking chains iptables -N CONNTRACK iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT - iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP + iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT # Restore any connection marks @@ -136,7 +136,7 @@ iptables_init() { iptables -A INPUT -j P2PBLOCK iptables -A FORWARD -j P2PBLOCK iptables -A OUTPUT -j P2PBLOCK - + # IPS (Guardian) chains iptables -N GUARDIAN iptables -A INPUT -j GUARDIAN @@ -265,7 +265,7 @@ iptables_init() { iptables -A INPUT -j TOR_INPUT iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT - + # Jump into the actual firewall ruleset. iptables -N INPUTFW iptables -A INPUT -j INPUTFW