From d8158ca68c4d48eb7fafe1b3a1fab2468381979a Mon Sep 17 00:00:00 2001
From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Thu, 30 Dec 2010 16:28:19 +0100
Subject: [PATCH] Firewall: better loopback badtcp skipping.

---
 src/initscripts/init.d/fireinfo | 0
 src/initscripts/init.d/firewall | 5 ++++-
 2 files changed, 4 insertions(+), 1 deletion(-)
 mode change 100755 => 100644 src/initscripts/init.d/fireinfo

diff --git a/src/initscripts/init.d/fireinfo b/src/initscripts/init.d/fireinfo
old mode 100755
new mode 100644
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 9a4e5eb17b..f1330f0670 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -53,6 +53,9 @@ iptables_init() {
 	# Chain to contain all the rules relating to bad TCP flags
 	/sbin/iptables -N BADTCP
 
+	#Don't check loopback
+	/sbin/iptables -A INPUT   -i lo -j RETURN
+
 	# Disallow packets frequently used by port-scanners
 	# nmap xmas
 	/sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH  -j PSCAN
@@ -188,7 +191,7 @@ case "$1" in
 	/sbin/iptables -A FORWARD -j OUTGOINGFW
 
 	# localhost and ethernet.
-	/sbin/iptables -I INPUT 1 -i lo -m state --state NEW -j ACCEPT
+	/sbin/iptables -A INPUT   -i lo -m state --state NEW -j ACCEPT
 	/sbin/iptables -A INPUT   -s 127.0.0.0/8 -m state --state NEW -j DROP   # Loopback not on lo
 	/sbin/iptables -A INPUT   -d 127.0.0.0/8 -m state --state NEW -j DROP
 	/sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT
-- 
2.39.2