]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blobdiff - src/initscripts/system/firewall
projects / people / teissler / ipfire-2.x.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
firewall: Add proper logging prefix for conntrack INVALID hits
[people/teissler/ipfire-2.x.git] / src / initscripts / system / firewall
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index fc355cd5d41deef8fed18f64ae298ed64560ee07..2f4b4e30ed48ab4f409eb18da870309589254675 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -119,9 +119,13 @@ iptables_init() {
        iptables -A FORWARD -p tcp -j BADTCP
 
        # Connection tracking chains
+       iptables -N CTINVALID
+       iptables -A CTINVALID  -m limit --limit 10/second -j LOG  --log-prefix "DROP_CTINVALID "
+       iptables -A CTINVALID  -j DROP -m comment --comment "DROP_CTINVALID"
+
        iptables -N CONNTRACK
        iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
-       iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP
+       iptables -A CONNTRACK -m conntrack --ctstate INVALID -j CTINVALID
        iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT
 
        # Restore any connection marks
Timo's tree of IPFire 2.x