]> git.ipfire.org Git - ipfire-2.x.git/blobdiff - src/initscripts/system/firewall
projects / ipfire-2.x.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
firewall: Add proper logging prefix for conntrack INVALID hits
[ipfire-2.x.git] / src / initscripts / system / firewall
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 2ae6157aa0a0cdd5b636430b407d3c4adad639bd..5fef07a00f4b49f9a1d0205928916d6668cc546f 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -121,9 +121,13 @@ iptables_init() {
        iptables -A FORWARD -p tcp -j BADTCP
 
        # Connection tracking chains
+       iptables -N CTINVALID
+       iptables -A CTINVALID  -m limit --limit 10/second -j LOG  --log-prefix "DROP_CTINVALID "
+       iptables -A CTINVALID  -j DROP -m comment --comment "DROP_CTINVALID"
+
        iptables -N CONNTRACK
        iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
-       iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP
+       iptables -A CONNTRACK -m conntrack --ctstate INVALID -j CTINVALID
        iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT
 
        # Restore any connection marks
IPFire 2.x development tree