From 5729be6431c46ac64730bbc280f2b9977be502fb Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 10 Mar 2017 09:06:41 -0800 Subject: [PATCH] Add dropInvalid to BLACKLIST_DEFAULT Signed-off-by: Tom Eastep --- Shorewall6/Samples6/Universal/shorewall6.conf | 2 +- Shorewall6/Samples6/one-interface/shorewall6.conf | 2 +- Shorewall6/Samples6/three-interfaces/shorewall6.conf | 2 +- Shorewall6/Samples6/two-interfaces/shorewall6.conf | 2 +- Shorewall6/configfiles/shorewall6.conf | 2 +- docs/Actions.xml | 6 +++--- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index c139d2b76..af79333b6 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -107,7 +107,7 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL:DropDNSrep:$LOG_LEVEL" DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index d5b389f1e..ea4e0c745 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -108,7 +108,7 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL:DropDNSrep:$LOG_LEVEL" DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index ab1a82690..370532b0d 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -107,7 +107,7 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL:DropDNSrep:$LOG_LEVEL" DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index f8841b2ac..23e5bd790 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -107,7 +107,7 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL:DropDNSrep:$LOG_LEVEL" DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index bd46e6603..d62e2da44 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -107,7 +107,7 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL:DropDNSrep:$LOG_LEVEL" DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none diff --git a/docs/Actions.xml b/docs/Actions.xml index b08d4f3a2..cdd989d0f 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -351,8 +351,8 @@ ACCEPT - - tcp 135,139,445 - The recommended settings for the 6 policy actions for IPv4 are: - + The recommended settings for the 6 policy actions for IPv4 + are: ACCEPT_DEFAULT=none BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" @@ -365,7 +365,7 @@ ACCEPT - - tcp 135,139,445 The recommended settings for IPv6 are: ACCEPT_DEFAULT=none - BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" + BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none