From 8c9fb501fd9450926ad0fc689e2fe875cc4f9520 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 11 Feb 2017 13:41:28 -0800 Subject: [PATCH] Adjust .conf files Signed-off-by: Tom Eastep --- Shorewall/Samples/Universal/shorewall.conf | 6 +++--- Shorewall/Samples/one-interface/shorewall.conf | 6 +++--- Shorewall/Samples/three-interfaces/shorewall.conf | 6 +++--- Shorewall/Samples/two-interfaces/shorewall.conf | 6 +++--- Shorewall/configfiles/shorewall.conf | 6 +++--- Shorewall6/Samples6/Universal/shorewall6.conf | 6 +++--- Shorewall6/Samples6/one-interface/shorewall6.conf | 4 ++-- Shorewall6/Samples6/three-interfaces/shorewall6.conf | 4 ++-- Shorewall6/Samples6/two-interfaces/shorewall6.conf | 4 ++-- Shorewall6/actions.std | 1 + Shorewall6/configfiles/shorewall6.conf | 6 +++--- 11 files changed, 28 insertions(+), 27 deletions(-) diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index 015d9b23d..fd4ef60a4 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -108,11 +108,11 @@ TC= ############################################################################### ACCEPT_DEFAULT="none" -BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG" -DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG" +BLACKLIST_DEFAULT="Broadcast(DROP),dropInvalid:$LOG,dropNotSyn:$LOG,DropDNSrep:$LOG" +DROP_DEFAULT="Broadcast(DROP)" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" -REJECT_DEFAULT="dropBcast,dropInvalid:$LOG" +REJECT_DEFAULT="Broadcast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index e5723282e..d3e440967 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -119,11 +119,11 @@ TC= ############################################################################### ACCEPT_DEFAULT="none" -BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG" -DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG" +BLACKLIST_DEFAULT="Broadcast(DROP),dropInvalid:$LOG,dropNotSyn:$LOG,DropDNSrep:$LOG" +DROP_DEFAULT="Broadcast(DROP)" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" -REJECT_DEFAULT="dropBcast,dropInvalid:$LOG" +REJECT_DEFAULT="Broadcast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index c5f507c59..04a5938e2 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -116,11 +116,11 @@ TC= ############################################################################### ACCEPT_DEFAULT="none" -BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG" -DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG" +BLACKLIST_DEFAULT="Broadcast(DROP),dropInvalid:$LOG,dropNotSyn:$LOG,DropDNSrep:$LOG" +DROP_DEFAULT="Broadcast(DROP),dropInvalid:$LOG,dropNotSyn:$LOG" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" -REJECT_DEFAULT="dropBcast,dropInvalid:$LOG" +REJECT_DEFAULT="Broadcast(DROP),dropInvalid:$LOG" ############################################################################### # R S H / R C P C O M M A N D S diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index fbcc7d659..c012c28f6 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -119,11 +119,11 @@ TC= ############################################################################### ACCEPT_DEFAULT="none" -BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG" -DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG" +BLACKLIST_DEFAULT="Broadcast(DROP),dropInvalid:$LOG,dropNotSyn:$LOG,DropDNSrep:$LOG" +DROP_DEFAULT="Broadcast(DROP)" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" -REJECT_DEFAULT="dropBcast,dropInvalid:$LOG" +REJECT_DEFAULT="Broadcast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 12561acbf..bab3ee0b0 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -108,11 +108,11 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT=dropBcasts,dropNotSyn:$LOG,dropInvalid:$LOG -DROP_DEFAULT=dropBcasts,dropNotSyn:$LOG,dropInvalid:$LOG +BLACKLIST_DEFAULT="Broadcast(DROP),dropNotSyn:$LOG,dropInvalid:$LOG,DropDNSrep:$LOG" +DROP_DEFAULT="Broadcast(DROP)" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none -REJECT_DEFAULT=dropBcasts,dropInvalid:$LOG +REJECT_DEFAULT="Broadcast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index 3cb45e8b8..644f69a01 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -72,7 +72,7 @@ UNTRACKED_LOG_LEVEL= # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### -CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall +CONFIG_PATH=${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall GEOIPDIR=/usr/share/xt_geoip/LE @@ -105,8 +105,8 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG" -DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG,DropDNSrep:$LOG" +DROP_DEFAULT="AllowICMPs,Broadcast(DROP)" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)" diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index 737057345..d3e1bef26 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -106,8 +106,8 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG" -DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG,DropDNSrep:$LOG" +DROP_DEFAULT="AllowICMPs,Broadcast(DROP)" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)" diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index f147208ec..9204fcfe3 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -105,8 +105,8 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG" -DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG,DropDNSrep:$LOG" +DROP_DEFAULT="AllowICMPs,Broadcast(DROP)" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)" diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index 1cba7dc86..e379ddc45 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -105,8 +105,8 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG" -DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG,DropDNSrep:$LOG" +DROP_DEFAULT="AllowICMPs,Broadcast(DROP)" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)" diff --git a/Shorewall6/actions.std b/Shorewall6/actions.std index 96404a848..327bdd685 100644 --- a/Shorewall6/actions.std +++ b/Shorewall6/actions.std @@ -26,6 +26,7 @@ AutoBLL noinline # Helper for AutoBL Broadcast noinline # Handles Broadcast/Multicast/Anycast Drop # Default Action for DROP policy dropInvalid inline # Drops packets in the INVALID conntrack state +DropDNSrep inline # Drops DNS replies DropSmurfs noinline # Handles packets with a broadcast source address Established inline,\ # Handles packets in the ESTABLISHED state state=ESTABLISHED diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index b5c5fdff4..018e4a27d 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -105,11 +105,11 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG -DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP)s,dropNotSyn:$LOG,DropDNSrep:$LOG" +DROP_DEFAULT="AllowICMPs,Broadcast(DROP)" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none -REJECT_DEFAULT=AllowICMPs,dropBcasts +REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S