firewall: Log packets dropped due to conntrack INVALID state

In case of faulty connection tracking, this ensures such packets are
logged, to make analysing network incidents less troublesome. Since
NewNotSYN is handled before, where logging can be turned off for systems
running on weak flash devices, the amount of log messages emitted here
should be neglectible.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 75ea8abdfecb86c33d18aed087665ab5de2d6fad..49c6b7bf917cebc5d629a0dd3bd9f15dec542132 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -110,7 +110,7 @@ iptables_init() {
        # Connection tracking chains
        iptables -N CONNTRACK
        iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
-       iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP
+       iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP
        iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT
 
        # Restore any connection marks
@@ -136,7 +136,7 @@ iptables_init() {
        iptables -A INPUT -j P2PBLOCK
        iptables -A FORWARD -j P2PBLOCK
        iptables -A OUTPUT -j P2PBLOCK
-       
+
        # IPS (Guardian) chains
        iptables -N GUARDIAN
        iptables -A INPUT -j GUARDIAN
@@ -265,7 +265,7 @@ iptables_init() {
        iptables -A INPUT -j TOR_INPUT
        iptables -N TOR_OUTPUT
        iptables -A OUTPUT -j TOR_OUTPUT
-       
+
        # Jump into the actual firewall ruleset.
        iptables -N INPUTFW
        iptables -A INPUT -j INPUTFW