From 863881841a29c07496028e4ccf52b958814c3216 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 3 Jul 2011 17:14:36 -0700 Subject: [PATCH] Add action.Invalid and action.NotSyn and modify action.Drop and action.Reject to use them Signed-off-by: Tom Eastep --- Shorewall/action.Drop | 4 ++-- Shorewall/action.Invalid | 52 ++++++++++++++++++++++++++++++++++++++++ Shorewall/action.NotSyn | 52 ++++++++++++++++++++++++++++++++++++++++ Shorewall/action.Reject | 4 ++-- Shorewall/actions.std | 2 ++ 5 files changed, 110 insertions(+), 4 deletions(-) create mode 100644 Shorewall/action.Invalid create mode 100644 Shorewall/action.NotSyn diff --git a/Shorewall/action.Drop b/Shorewall/action.Drop index 961144e48..1c307393f 100644 --- a/Shorewall/action.Drop +++ b/Shorewall/action.Drop @@ -79,7 +79,7 @@ AllowICMPs($4) - - icmp # Drop packets that are in the INVALID state -- these are usually ICMP packets # and just confuse people when they appear in the log. # -dropInvalid($1) +Invalid(DROP,$1) # # Drop Microsoft noise so that it doesn't clutter up the log. # @@ -88,7 +88,7 @@ DropUPnP($5) # # Drop 'newnotsyn' traffic so that it doesn't get logged. # -dropNotSyn($1) - - tcp +NotSyn(DROP,$1) - - tcp # # Drop late-arriving DNS replies. These are just a nuisance and clutter up # the log. diff --git a/Shorewall/action.Invalid b/Shorewall/action.Invalid new file mode 100644 index 000000000..b315bbb96 --- /dev/null +++ b/Shorewall/action.Invalid @@ -0,0 +1,52 @@ +# +# Shorewall 4 - Invalid Action +# +# /usr/share/shorewall/action.Invalid +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 2011 - Tom Eastep (teastep@shorewall.net) +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Invalid[([|-[,{audit|-}])] +# +# Default action is DROP +# +########################################################################################## +FORMAT 2 + +DEFAULTS DROP,- + +BEGIN PERL; + +use Shorewall::IPAddrs; +use Shorewall::Config; +use Shorewall::Chains; + +my $chainref = get_action_chain; +my ( $action, $audit ) = get_action_params( 2 ); +my ( $level, $tag ) = get_action_logging; +my $target = require_audit ( $action , $audit ); + +fatal_error "Invalid parameter to action Invalid" if supplied $audit && $audit ne 'audit'; + +log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne ''; +add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID "; + +1; + +END PERL; diff --git a/Shorewall/action.NotSyn b/Shorewall/action.NotSyn new file mode 100644 index 000000000..0ac38da28 --- /dev/null +++ b/Shorewall/action.NotSyn @@ -0,0 +1,52 @@ +# +# Shorewall 4 - NotSyn Action +# +# /usr/share/shorewall/action.NotSyn +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 2011 - Tom Eastep (teastep@shorewall.net) +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# NotSyn[([|-[,{audit|-}])] +# +# Default action is DROP +# +########################################################################################## +FORMAT 2 + +DEFAULTS DROP,- + +BEGIN PERL; + +use Shorewall::IPAddrs; +use Shorewall::Config; +use Shorewall::Chains; + +my $chainref = get_action_chain; +my ( $action, $audit ) = get_action_params( 2 ); +my ( $level, $tag ) = get_action_logging; +my $target = require_audit ( $action , $audit ); + +fatal_error "Invalid parameter to action NotSyn" if supplied $audit && $audit ne 'audit'; + +log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne ''; +add_jump $chainref , $target, 0, '-p 6 ! --syn '; + +1; + +END PERL; diff --git a/Shorewall/action.Reject b/Shorewall/action.Reject index 3c4fc8be8..fdda766b1 100644 --- a/Shorewall/action.Reject +++ b/Shorewall/action.Reject @@ -77,7 +77,7 @@ AllowICMPs($4) - - icmp # and just confuse people when they appear in the log (these ICMPs cannot be # rejected). # -dropInvalid($1) +Invalid(DROP,$1) # # Reject Microsoft noise so that it doesn't clutter up the log. # @@ -86,7 +86,7 @@ DropUPnP($5) # # Drop 'newnotsyn' traffic so that it doesn't get logged. # -dropNotSyn($1) - - tcp +NotSyn(DROP,$1) - - tcp # # Drop late-arriving DNS replies. These are just a nuisance and clutter up # the log. diff --git a/Shorewall/actions.std b/Shorewall/actions.std index 6a9ad9ced..64e24bf8f 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -37,4 +37,6 @@ A_Drop # Audited Default Action for DROP policy A_Reject # Audited Default action for REJECT policy Broadcast # Handles Broadcast/Multicast/Anycast Drop # Default Action for DROP policy +Invalid # Handles packets in the INVALID conntrack state +NotSyn # Handles TCP packets which do not have SYN=1 and ACK=0 Reject # Default Action for REJECT policy