firewall: Log packets dropped due to conntrack INVALID state

[ipfire-2.x.git] / src / initscripts / system / firewall

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 776e70d6eea299a865f0a190f72f4269537f2188..49c6b7bf917cebc5d629a0dd3bd9f15dec542132 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -110,10 +110,8 @@ iptables_init() {
        # Connection tracking chains
        iptables -N CONNTRACK
        iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
-       iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP
+       iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP
        iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-       iptables -t raw -N CONNTRACK
-       iptables -t raw -A PREROUTING -j CONNTRACK
 
        # Restore any connection marks
        iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
@@ -138,7 +136,7 @@ iptables_init() {
        iptables -A INPUT -j P2PBLOCK
        iptables -A FORWARD -j P2PBLOCK
        iptables -A OUTPUT -j P2PBLOCK
-       
+
        # IPS (Guardian) chains
        iptables -N GUARDIAN
        iptables -A INPUT -j GUARDIAN
@@ -267,7 +265,7 @@ iptables_init() {
        iptables -A INPUT -j TOR_INPUT
        iptables -N TOR_OUTPUT
        iptables -A OUTPUT -j TOR_OUTPUT
-       
+
        # Jump into the actual firewall ruleset.
        iptables -N INPUTFW
        iptables -A INPUT -j INPUTFW