:xMerge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-switch...

[people/pmueller/ipfire-2.x.git] / src / initscripts / system / firewall

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 5d7f1c1b4be37257ae339aa68151c9e0b9508d03..65f1c979bb4007f1987fbfe897b5e1d91ed30f23 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -32,6 +32,10 @@ iptables_init() {
        iptables -P FORWARD DROP
        iptables -P OUTPUT ACCEPT
 
+       # Enable TRACE logging to syslog
+       modprobe nf_log_ipv4
+       sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4
+
        # Empty LOG_DROP and LOG_REJECT chains
        iptables -N LOG_DROP
        iptables -A LOG_DROP   -m limit --limit 10/second -j LOG
@@ -96,6 +100,9 @@ iptables_init() {
 
        # Conntrack helpers (https://home.regit.org/netfilter-en/secure-use-of-helpers/)
 
+       # GRE (always enabled)
+       modprobe nf_conntrack_proto_gre
+
        # SIP
        if [ "${CONNTRACK_SIP}" = "on" ]; then
                modprobe nf_nat_sip