firewall: Only propagate ASSURED and DESTROY CT events to user-space

author Michael Tremer <michael.tremer@ipfire.org>

Wed, 24 Jun 2015 16:40:27 +0000 (18:40 +0200)

committer Michael Tremer <michael.tremer@ipfire.org>

Wed, 24 Jun 2015 16:40:27 +0000 (18:40 +0200)
author Michael Tremer <michael.tremer@ipfire.org>
Wed, 24 Jun 2015 16:40:27 +0000 (18:40 +0200)
committer Michael Tremer <michael.tremer@ipfire.org>
Wed, 24 Jun 2015 16:40:27 +0000 (18:40 +0200)
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall

index 8ca02bc9d1932b4530556d5baf29ef0053eb090d..28443599a533b6d344b5d27f3c349b6c48d1777a 100644 (file)
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -21,9 +21,11 @@ iptables_init() {
         iptables -F
         iptables -t nat -F
         iptables -t mangle -F
+       iptables -t raw -F
         iptables -X
         iptables -t nat -X
         iptables -t mangle -X
+       iptables -t raw -X
  
         # Set up policies
         iptables -P INPUT DROP
@@ -295,6 +297,9 @@ iptables_init() {
         if [ ! -e "/var/ipfire/red/active" ]; then
                 iptables_red_down
         fi
+
+       # Only propagate assured and destroy CT events to user-space
+       iptables -t raw -A PREROUTING -j CT --ctevents assured,destroy
  }
  
  iptables_red_up() {
author	Michael Tremer <michael.tremer@ipfire.org>
	Wed, 24 Jun 2015 16:40:27 +0000 (18:40 +0200)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Wed, 24 Jun 2015 16:40:27 +0000 (18:40 +0200)