webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

firewall: Add proper logging prefix for conntrack INVALID hits

Browse Source 
Fixes: #12778

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This commit is contained in:
Peter Müller
2022-02-17 20:16:02 +00:00
parent 53378856a8
commit 5ca74566b3
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/initscripts/system/firewall
View File

@@ -121,9 +121,13 @@ iptables_init() {
iptables -A FORWARD -p tcp -j BADTCP
# Connection tracking chains
iptables -N CTINVALID
iptables -A CTINVALID -m limit --limit 10/second -j LOG --log-prefix "DROP_CTINVALID "
iptables -A CTINVALID -j DROP -m comment --comment "DROP_CTINVALID"
iptables -N CONNTRACK
iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP
iptables -A CONNTRACK -m conntrack --ctstate INVALID -j CTINVALID
iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT
# Restore any connection marks