mirror of https://github.com/hak5/openwrt-owl.git
firewall: introduce drop_invalid option to allow disabling the invalid state match
SVN-Revision: 14061owl
parent
b693945d4f
commit
83c9ac173d
|
@ -160,13 +160,16 @@ fw_defaults() {
|
|||
$IPTABLES -t nat -X
|
||||
$IPTABLES -X
|
||||
|
||||
$IPTABLES -A INPUT -m state --state INVALID -j DROP
|
||||
config_get_bool drop_invalid $1 drop_invalid 1
|
||||
|
||||
[ "$drop_invalid" -gt 0 ] && {
|
||||
$IPTABLES -A INPUT -m state --state INVALID -j DROP
|
||||
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
|
||||
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
|
||||
}
|
||||
|
||||
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
|
||||
$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
|
||||
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
$IPTABLES -A INPUT -i lo -j ACCEPT
|
||||
|
|
Loading…
Reference in New Issue