From 944888c04fba8599fd313be13ff6648fe11d3e16 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 15 Feb 2017 10:16:20 -0800 Subject: [PATCH] Handle broadcast and muticast separately Signed-off-by: Tom Eastep --- Shorewall/Actions/action.Broadcast | 4 -- Shorewall/Actions/action.Drop.deprecated | 3 +- Shorewall/Actions/action.Multicast | 50 ++++++++++++++++ Shorewall/Actions/action.Reject.deprecated | 1 + Shorewall/Perl/Shorewall/Rules.pm | 28 ++++++--- Shorewall/Samples/Universal/shorewall.conf | 12 ++-- .../Samples/one-interface/shorewall.conf | 12 ++-- .../Samples/three-interfaces/shorewall.conf | 12 ++-- .../Samples/two-interfaces/shorewall.conf | 12 ++-- Shorewall/actions.std | 9 ++- Shorewall/configfiles/shorewall.conf | 6 +- Shorewall6/Actions/action.Broadcast | 8 +-- Shorewall6/Actions/action.Multicast | 59 +++++++++++++++++++ Shorewall6/Samples6/Universal/shorewall6.conf | 6 +- .../Samples6/one-interface/shorewall6.conf | 6 +- .../Samples6/three-interfaces/shorewall6.conf | 6 +- .../Samples6/two-interfaces/shorewall6.conf | 6 +- Shorewall6/actions.std | 9 ++- Shorewall6/configfiles/shorewall6.conf | 6 +- docs/Actions.xml | 33 ++++++++++- 20 files changed, 221 insertions(+), 67 deletions(-) create mode 100644 Shorewall/Actions/action.Multicast create mode 100644 Shorewall6/Actions/action.Multicast diff --git a/Shorewall/Actions/action.Broadcast b/Shorewall/Actions/action.Broadcast index a0ffbf859..7bd0de4b5 100644 --- a/Shorewall/Actions/action.Broadcast +++ b/Shorewall/Actions/action.Broadcast @@ -30,7 +30,6 @@ DEFAULTS DROP,- ?if __ADDRTYPE @1 - - - ;; -m addrtype --dst-type BROADCAST -@1 - - - ;; -m addrtype --dst-type MULTICAST @1 - - - ;; -m addrtype --dst-type ANYCAST ?else ?begin perl; @@ -50,9 +49,6 @@ add_jump $chainref, $action, 0, "-d \$address "; decr_cmd_level $chainref; add_commands $chainref, 'done'; -log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne ''; -add_jump $chainref, $action, 0, '-d 224.0.0.0/4 '; - 1; ?end perl; diff --git a/Shorewall/Actions/action.Drop.deprecated b/Shorewall/Actions/action.Drop.deprecated index c328c929c..8cf6ad823 100644 --- a/Shorewall/Actions/action.Drop.deprecated +++ b/Shorewall/Actions/action.Drop.deprecated @@ -59,9 +59,10 @@ Auth(@2) # AllowICMPs(@4) - - icmp # -# Don't log broadcasts +# Don't log broadcasts or multicasts # Broadcast(DROP,@1) +Multicast(DROP,@1) # # Drop packets that are in the INVALID state -- these are usually ICMP packets # and just confuse people when they appear in the log. diff --git a/Shorewall/Actions/action.Multicast b/Shorewall/Actions/action.Multicast new file mode 100644 index 000000000..6bc789a1d --- /dev/null +++ b/Shorewall/Actions/action.Multicast @@ -0,0 +1,50 @@ +# +# Shorewall -- /usr/share/shorewall/action.Multicast +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 2011-2016 Tom Eastep (teastep@shorewall.net) +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Multicast[([|-[,{audit|-}])] +# +# Default action is DROP +# +############################################################################### + +DEFAULTS DROP,- + +?if __ADDRTYPE +@1 - - - ;; -m addrtype --dst-type MULTICAST +?else +?begin perl; + +use Shorewall::IPAddrs; +use Shorewall::Config; +use Shorewall::Chains; + +my ( $action ) = get_action_params( 1 ); +my $chainref = get_action_chain; +my ( $level, $tag ) = get_action_logging; + +log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne ''; +add_jump $chainref, $action, 0, '-d 224.0.0.0/4 '; + +1; + +?end perl; +?endif diff --git a/Shorewall/Actions/action.Reject.deprecated b/Shorewall/Actions/action.Reject.deprecated index 4df6aa4ca..da714fc1f 100644 --- a/Shorewall/Actions/action.Reject.deprecated +++ b/Shorewall/Actions/action.Reject.deprecated @@ -62,6 +62,7 @@ AllowICMPs(@4) - - icmp # (broadcasts must *not* be rejected). # Broadcast(DROP,@1) +Multicast(DROP,@1) # # Drop packets that are in the INVALID state -- these are usually ICMP packets # and just confuse people when they appear in the log (these ICMPs cannot be diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index d8754bc28..8e0264aca 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -363,7 +363,7 @@ sub initialize( $ ) { @columns = ( ( '-' ) x LAST_COLUMN, 0 ); if ( $family == F_IPV4 ) { - @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/; + @builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/; %reject_options = ( 'icmp-net-unreachable' => 1, 'icmp-host-unreachable' => 1, 'icmp-port-unreachable' => 1, @@ -375,7 +375,7 @@ sub initialize( $ ) { ); } else { - @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn/; + @builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn/; %reject_options = ( 'icmp6-no-route' => 1, 'no-route' => 1, 'icmp6-adm-prohibited' => 1, @@ -1740,16 +1740,22 @@ sub dropBcast( $$$$ ) { decr_cmd_level $chainref; add_commands $chainref, 'done'; } +} + +sub dropMcast( $$$$ ) { + my ($chainref, $level, $tag, $audit) = @_; + + my $target = require_audit ( 'DROP', $audit ); if ( $family == F_IPV4 ) { - log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne ''; + log_irule_limit $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne ''; add_ijump $chainref, j => $target, d => '224.0.0.0/4'; } else { - log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne ''; + log_irule_limit( $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne ''; add_ijump $chainref, j => $target, d => IPv6_MULTICAST; } } - + sub allowBcast( $$$$ ) { my ($chainref, $level, $tag, $audit) = @_; @@ -1775,12 +1781,18 @@ sub allowBcast( $$$$ ) { decr_cmd_level $chainref; add_commands $chainref, 'done'; } +} + +sub allowMast( $$$$ ) { + my ($chainref, $level, $tag, $audit) = @_; + + my $target = require_audit( 'ACCEPT', $audit ); if ( $family == F_IPV4 ) { - log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne ''; + log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne ''; add_ijump $chainref, j => $target, d => '224.0.0.0/4'; } else { - log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne ''; + log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', '', $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne ''; add_ijump $chainref, j => $target, d => IPv6_MULTICAST; } } @@ -1870,7 +1882,9 @@ sub Limit( $$$$ ) { } my %builtinops = ( 'dropBcast' => \&dropBcast, + 'dropMcast' => \&dropMcast, 'allowBcast' => \&allowBcast, + 'allowMcast' => \&allowMcast, 'dropNotSyn' => \&dropNotSyn, 'rejNotSyn' => \&rejNotSyn, 'allowinUPnP' => \&allowinUPnP, diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index 2299674db..f8108629a 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -109,12 +109,12 @@ TC= # D E F A U L T A C T I O N S / M A C R O S ############################################################################### -ACCEPT_DEFAULT="none" -BLACKLIST_DEFAULT="Broadcast(DROP),dropInvalid:$LOG_LEVEL,dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" -DROP_DEFAULT="Broadcast(DROP)" -NFQUEUE_DEFAULT="none" -QUEUE_DEFAULT="none" -REJECT_DEFAULT="Broadcast(DROP)" +ACCEPT_DEFAULT=none +BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" +DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" +NFQUEUE_DEFAULT=none +QUEUE_DEFAULT=none +REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index c142f6e3d..ae5e76ccc 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -120,12 +120,12 @@ TC= # D E F A U L T A C T I O N S / M A C R O S ############################################################################### -ACCEPT_DEFAULT="none" -BLACKLIST_DEFAULT="Broadcast(DROP),dropInvalid:$LOG_LEVEL,dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" -DROP_DEFAULT="Broadcast(DROP)" -NFQUEUE_DEFAULT="none" -QUEUE_DEFAULT="none" -REJECT_DEFAULT="Broadcast(DROP)" +ACCEPT_DEFAULT=none +BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" +DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" +NFQUEUE_DEFAULT=none +QUEUE_DEFAULT=none +REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index e87792e89..1bf693b82 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -117,12 +117,12 @@ TC= # D E F A U L T A C T I O N S / M A C R O S ############################################################################### -ACCEPT_DEFAULT="none" -BLACKLIST_DEFAULT="Broadcast(DROP),dropInvalid:$LOG_LEVEL,dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" -DROP_DEFAULT="Broadcast(DROP),dropInvalid:$LOG_LEVEL,dropNotSyn:$LOG_LEVEL" -NFQUEUE_DEFAULT="none" -QUEUE_DEFAULT="none" -REJECT_DEFAULT="Broadcast(DROP),dropInvalid:$LOG_LEVEL" +ACCEPT_DEFAULT=none +BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" +DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" +NFQUEUE_DEFAULT=none +QUEUE_DEFAULT=none +REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index db1fc30d4..78bab66f8 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -120,12 +120,12 @@ TC= # D E F A U L T A C T I O N S / M A C R O S ############################################################################### -ACCEPT_DEFAULT="none" -BLACKLIST_DEFAULT="Broadcast(DROP),dropInvalid:$LOG_LEVEL,dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" -DROP_DEFAULT="Broadcast(DROP)" -NFQUEUE_DEFAULT="none" -QUEUE_DEFAULT="none" -REJECT_DEFAULT="Broadcast(DROP)" +ACCEPT_DEFAULT=none +BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" +DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" +NFQUEUE_DEFAULT=none +QUEUE_DEFAULT=none +REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S diff --git a/Shorewall/actions.std b/Shorewall/actions.std index 0f3981241..fcf1f15b6 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -9,8 +9,10 @@ # Builtin Actions are: # ?if 0 -allowBcast # Silently Allow Broadcast/multicast -dropBcast # Silently Drop Broadcast/multicast +allowBcast # Silently Allow Broadcast +allowMcast # Silently Allow Multicast +dropBcast # Silently Drop Broadcast +dropMcast # Silently Drop Multicast dropNotSyn # Silently Drop Non-syn TCP packets rejNotSyn # Silently Reject Non-syn TCP packets allowinUPnP # Allow UPnP inbound (to firewall) traffic @@ -27,7 +29,7 @@ allowInvalid inline # Accepts packets in the INVALID conntrack state AutoBL noinline # Auto-blacklist IPs that exceed thesholds AutoBLL noinline # Helper for AutoBL BLACKLIST logjump,section # Add sender to the dynamic blacklist -Broadcast noinline,audit # Handles Broadcast/Multicast/Anycast +Broadcast noinline,audit # Handles Broadcast/Anycast DNSAmp # Matches one-question recursive DNS queries Drop # Default Action for DROP policy (deprecated) dropInvalid inline # Drops packets in the INVALID conntrack state @@ -39,6 +41,7 @@ GlusterFS inline # Handles GlusterFS IfEvent noinline # Perform an action based on an event Invalid inline,audit,\ # Handles packets in the INVALID conntrack state state=INVALID # +Multicast noinline,audit # Handles Multicast New inline,state=NEW # Handles packets in the NEW conntrack state NotSyn inline,audit # Handles TCP packets which do not have SYN=1 and ACK=0 Reject # Default Action for REJECT policy (deprecated) diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 9393221b5..b73cf34d6 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -110,11 +110,11 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT="Broadcast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" -DROP_DEFAULT="Broadcast(DROP)" +BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" +DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none -REJECT_DEFAULT="Broadcast(DROP)" +REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S diff --git a/Shorewall6/Actions/action.Broadcast b/Shorewall6/Actions/action.Broadcast index 35557bbee..761a2e49d 100644 --- a/Shorewall6/Actions/action.Broadcast +++ b/Shorewall6/Actions/action.Broadcast @@ -45,12 +45,11 @@ fatal_error "Invalid parameter to action Broadcast" if supplied $audit && $aud if ( have_capability( 'ADDRTYPE' ) ) { if ( $level ne '' ) { - log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST '; - log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST '; + log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST '; + log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST '; } add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST '; - add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST '; add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST '; } else { add_commands $chainref, 'for address in $ALL_ACASTS; do'; @@ -59,9 +58,6 @@ if ( have_capability( 'ADDRTYPE' ) ) { add_jump $chainref, $target, 0, "-d \$address "; decr_cmd_level $chainref; add_commands $chainref, 'done'; - - log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) ) if $level ne ''; - add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' ); } 1; diff --git a/Shorewall6/Actions/action.Multicast b/Shorewall6/Actions/action.Multicast new file mode 100644 index 000000000..68e1dee31 --- /dev/null +++ b/Shorewall6/Actions/action.Multicast @@ -0,0 +1,59 @@ +# +# Shorewall6 -- /usr/share/shorewall6/action.Multicast +# +# Multicast/Anycast IPv6 Action +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 2011-2016 Tom Eastep (teastep@shorewall.net) +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Multicast[([|-[,{audit|-}])] +# +# Default action is DROP +# +############################################################################### + +DEFAULTS DROP,- + +?begin perl; + +use Shorewall::IPAddrs; +use Shorewall::Config; +use Shorewall::Chains; + +my $chainref = get_action_chain; +my ( $action, $audit ) = get_action_params( 2 ); +my ( $level, $tag ) = get_action_logging; +my $target = require_audit ( $action , $audit ); + +fatal_error "Invalid parameter to action Broadcast" if supplied $audit && $audit ne 'audit'; + +if ( have_capability( 'ADDRTYPE' ) ) { + if ( $level ne '' ) { + log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST '; + } + + add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST '; +} else { + log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) ) if $level ne ''; + add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' ); +} + +1; + +?end perl; diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index 501f9a898..4d6e8518d 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -107,11 +107,11 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" -DROP_DEFAULT="AllowICMPs,Broadcast(DROP)" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" +DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none -REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)" +REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index f758ff019..2b1550d07 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -108,11 +108,11 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" -DROP_DEFAULT="AllowICMPs,Broadcast(DROP)" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" +DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none -REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)" +REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index e6a7021de..785212b8c 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -107,11 +107,11 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" -DROP_DEFAULT="AllowICMPs,Broadcast(DROP)" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" +DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none -REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)" +REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index 5111d120a..c5c71a291 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -107,11 +107,11 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" -DROP_DEFAULT="AllowICMPs,Broadcast(DROP)" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" +DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none -REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)" +REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S diff --git a/Shorewall6/actions.std b/Shorewall6/actions.std index 89994371c..3537dfe1f 100644 --- a/Shorewall6/actions.std +++ b/Shorewall6/actions.std @@ -9,8 +9,10 @@ # Builtin Actions are: # ?if 0 -allowBcasts # Accept multicast and anycast packets -dropBcasts # Silently Drop multicast and anycast packets +allowBcasts # Accept anycast packets +allowMcasts # Accept multicast packets +dropBcasts # Silently Drop anycast packets +dropMcasts # Silently Drop multicast packets dropNotSyn # Silently Drop Non-syn TCP packets rejNotSyn # Silently Reject Non-syn TCP packets ?endif @@ -23,7 +25,7 @@ AllowICMPs # Accept needed ICMP6 types allowInvalid inline # Accepts packets in the INVALID conntrack state AutoBL noinline # Auto-blacklist IPs that exceed thesholds AutoBLL noinline # Helper for AutoBL -Broadcast noinline # Handles Broadcast/Multicast/Anycast +Broadcast noinline # Handles Broadcast/Anycast Drop # Default Action for DROP policy (deprecated) dropInvalid inline # Drops packets in the INVALID conntrack state DropDNSrep inline # Drops DNS replies @@ -33,6 +35,7 @@ Established inline,\ # Handles packets in the ESTABLISHED state IfEvent noinline # Perform an action based on an event Invalid inline,audit,\ # Handles packets in the INVALID conntrack state state=INVALID +Multicast noinline # Handles Multicast New inline,state=NEW # Handles packets in the NEW conntrack state NotSyn inline # Handles TCP packets that do not have SYN=1 and ACK=0 Reject # Default Action for REJECT policy (deprecated) diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index e586daa84..abdf48426 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -107,11 +107,11 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP)s,dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" -DROP_DEFAULT="AllowICMPs,Broadcast(DROP)" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" +DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none -REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)" +REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S diff --git a/docs/Actions.xml b/docs/Actions.xml index 270aa4436..3e26f09a6 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -299,7 +299,17 @@ ACCEPT - - tcp 135,139,445 Broadcast[(disposition)] - Handles broadcasts and multicasts based on the + Handles broadcasts based on the + disposition. The default + disposition is DROP. + + + + + Multicast[(disposition)] + + + Handles multicasts based on the disposition. The default disposition is DROP. @@ -340,6 +350,27 @@ ACCEPT - - tcp 135,139,445 + + The recommended settings for the 6 policy actions for IPv4 are: + + + ACCEPT_DEFAULT=none + BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" + DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" + NFQUEUE_DEFAULT=none + QUEUE_DEFAULT=none + REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)" + + + The recommended settings for IPv6 are: + + ACCEPT_DEFAULT=none + BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" + DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" + NFQUEUE_DEFAULT=none + QUEUE_DEFAULT=none + REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" +