Handle broadcast and muticast separately

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-01-03 03:59:16 +01:00 · 2017-02-15 10:16:20 -08:00 · 2017-02-15 10:16:20 -08:00 · 944888c04f
commit 944888c04f
parent 48d301b2cf
20 changed files with 221 additions and 67 deletions
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
@ -30,7 +30,6 @@ DEFAULTS DROP,-
 ?if __ADDRTYPE
@1	-	-	-	;; -m addrtype --dst-type BROADCAST
@1	-	-	-	;; -m addrtype --dst-type MULTICAST
@1	-	-	-	;; -m addrtype --dst-type ANYCAST
 ?else
 ?begin perl;
@ -50,9 +49,6 @@ add_jump $chainref, $action, 0, "-d \$address ";
 decr_cmd_level $chainref;
 add_commands $chainref, 'done';
 log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
 1;
 ?end perl;
--- a/Shorewall/Actions/action.Drop.deprecated
+++ b/Shorewall/Actions/action.Drop.deprecated
@ -59,9 +59,10 @@ Auth(@2)
 #
 AllowICMPs(@4)	-	-	icmp
 #
-# Don't log broadcasts
+# Don't log broadcasts or multicasts
 #
 Broadcast(DROP,@1)
 Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
--- a/Shorewall/Actions/action.Multicast
+++ b/Shorewall/Actions/action.Multicast
@ -0,0 +1,50 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Multicast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # Multicast[([<action>|-[,{audit|-}])]
 #
 # Default action is DROP
 #
 ###############################################################################
 DEFAULTS DROP,-
 ?if __ADDRTYPE
@1	-	-	-	;; -m addrtype --dst-type MULTICAST
 ?else
 ?begin perl;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 my ( $action )         = get_action_params( 1 );
 my $chainref           = get_action_chain;
 my ( $level, $tag )    = get_action_logging;
 log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
 1;
 ?end perl;
 ?endif
--- a/Shorewall/Actions/action.Reject.deprecated
+++ b/Shorewall/Actions/action.Reject.deprecated
@ -62,6 +62,7 @@ AllowICMPs(@4)	-	-	icmp
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
 Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -363,7 +363,7 @@ sub initialize( $ ) {
    @columns           = ( ( '-' ) x LAST_COLUMN, 0 );
    if ( $family == F_IPV4 ) {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
+	@builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
 	%reject_options = ( 'icmp-net-unreachable'   => 1,
 			    'icmp-host-unreachable'  => 1,
 			    'icmp-port-unreachable'  => 1,
@ -375,7 +375,7 @@ sub initialize( $ ) {
 	                  );
    } else {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn/;
+	@builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn/;
 	%reject_options = ( 'icmp6-no-route'         => 1,
 			    'no-route'               => 1,
 			    'icmp6-adm-prohibited'   => 1,
@ -1740,16 +1740,22 @@ sub dropBcast( $$$$ ) {
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
    }
 }
 sub dropMcast( $$$$ ) {
    my ($chainref, $level, $tag, $audit) = @_;
    my $target = require_audit ( 'DROP', $audit );
    if ( $family == F_IPV4 ) {
-	log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
+	log_irule_limit $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
 	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
    } else {
-	log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
 	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
    }
 }
-
+    
 sub allowBcast( $$$$ ) {
    my ($chainref, $level, $tag, $audit) = @_;
@ -1775,12 +1781,18 @@ sub allowBcast( $$$$ ) {
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
    }
 }
 sub allowMast( $$$$ ) {
    my ($chainref, $level, $tag, $audit) = @_;
    my $target = require_audit( 'ACCEPT', $audit );
    if ( $family == F_IPV4 ) {
-	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
 	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
    } else {
-	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add',  '', d => IPv6_MULTICAST ) if $level ne '';
+	log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', '', $tag, 'add',  '', d => IPv6_MULTICAST ) if $level ne '';
 	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
    }
 }
@ -1870,7 +1882,9 @@ sub Limit( $$$$ ) {
 }
 my %builtinops = ( 'dropBcast'      => \&dropBcast,
 		   'dropMcast'      => \&dropMcast,
 		   'allowBcast'     => \&allowBcast,
 		   'allowMcast'     => \&allowMcast,
 		   'dropNotSyn'     => \&dropNotSyn,
 		   'rejNotSyn'      => \&rejNotSyn,
 		   'allowinUPnP'    => \&allowinUPnP,
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@ -109,12 +109,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
-ACCEPT_DEFAULT="none"
+ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="Broadcast(DROP),dropInvalid:$LOG_LEVEL,dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="Broadcast(DROP)"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT="none"
+QUEUE_DEFAULT=none
-REJECT_DEFAULT="Broadcast(DROP)"
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@ -120,12 +120,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
-ACCEPT_DEFAULT="none"
+ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="Broadcast(DROP),dropInvalid:$LOG_LEVEL,dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="Broadcast(DROP)"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT="none"
+QUEUE_DEFAULT=none
-REJECT_DEFAULT="Broadcast(DROP)"
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@ -117,12 +117,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
-ACCEPT_DEFAULT="none"
+ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="Broadcast(DROP),dropInvalid:$LOG_LEVEL,dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="Broadcast(DROP),dropInvalid:$LOG_LEVEL,dropNotSyn:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT="none"
+QUEUE_DEFAULT=none
-REJECT_DEFAULT="Broadcast(DROP),dropInvalid:$LOG_LEVEL"
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@ -120,12 +120,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
-ACCEPT_DEFAULT="none"
+ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="Broadcast(DROP),dropInvalid:$LOG_LEVEL,dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="Broadcast(DROP)"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT="none"
+QUEUE_DEFAULT=none
-REJECT_DEFAULT="Broadcast(DROP)"
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@ -9,8 +9,10 @@
 # Builtin Actions are:
 #
 ?if 0
-allowBcast			# Silently Allow Broadcast/multicast
+allowBcast			# Silently Allow Broadcast
-dropBcast			# Silently Drop Broadcast/multicast
+allowMcast			# Silently Allow Multicast
 dropBcast			# Silently Drop Broadcast
 dropMcast			# Silently Drop Multicast
 dropNotSyn			# Silently Drop Non-syn TCP packets
 rejNotSyn			# Silently Reject Non-syn TCP packets
 allowinUPnP			# Allow UPnP inbound (to firewall) traffic
@ -27,7 +29,7 @@ allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
 AutoBLL	     noinline		# Helper for AutoBL
 BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
-Broadcast    noinline,audit	# Handles Broadcast/Multicast/Anycast
+Broadcast    noinline,audit	# Handles Broadcast/Anycast
 DNSAmp				# Matches one-question recursive DNS queries
 Drop				# Default Action for DROP policy (deprecated)
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
@ -39,6 +41,7 @@ GlusterFS    inline		# Handles GlusterFS
 IfEvent	     noinline		# Perform an action based on an event
 Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
 	     state=INVALID	#
 Multicast    noinline,audit	# Handles Multicast
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
 Reject				# Default Action for REJECT policy (deprecated)
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@ -110,11 +110,11 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="Broadcast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="Broadcast(DROP)"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT="Broadcast(DROP)"
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
--- a/Shorewall6/Actions/action.Broadcast
+++ b/Shorewall6/Actions/action.Broadcast
@ -45,12 +45,11 @@ fatal_error "Invalid parameter to action Broadcast"   if supplied $audit && $aud
 if ( have_capability( 'ADDRTYPE' ) ) {
    if ( $level ne '' ) {
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
+	log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
+	log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
    }
    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
    add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
 } else {
    add_commands $chainref, 'for address in $ALL_ACASTS; do';
@ -59,9 +58,6 @@ if ( have_capability( 'ADDRTYPE' ) ) {
    add_jump $chainref, $target, 0, "-d \$address ";
    decr_cmd_level $chainref;
    add_commands $chainref, 'done';
    log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) )  if $level ne '';
    add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
 }
 1;
--- a/Shorewall6/Actions/action.Multicast
+++ b/Shorewall6/Actions/action.Multicast
@ -0,0 +1,59 @@
 #
 # Shorewall6 -- /usr/share/shorewall6/action.Multicast
 #
 # Multicast/Anycast IPv6 Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # Multicast[([<action>|-[,{audit|-}])]
 #
 # Default action is DROP
 #
 ###############################################################################
 DEFAULTS DROP,-
 ?begin perl;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 my $chainref           = get_action_chain;
 my ( $action, $audit ) = get_action_params( 2 );
 my ( $level, $tag )    = get_action_logging;
 my $target             = require_audit ( $action , $audit );
 fatal_error "Invalid parameter to action Broadcast"   if supplied $audit && $audit ne 'audit';
 if ( have_capability( 'ADDRTYPE' ) ) {
    if ( $level ne '' ) {
 	log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
    }
    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
 } else {
    log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) )  if $level ne '';
    add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
 }
 1;
 ?end perl;
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@ -107,11 +107,11 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP)"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@ -108,11 +108,11 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP)"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@ -107,11 +107,11 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP)"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@ -107,11 +107,11 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP)"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@ -9,8 +9,10 @@
 # Builtin Actions are:
 #
 ?if 0
-allowBcasts                     # Accept multicast and anycast packets
+allowBcasts                     # Accept anycast packets
-dropBcasts                      # Silently Drop multicast and anycast packets
+allowMcasts                     # Accept multicast packets
 dropBcasts                      # Silently Drop anycast packets
 dropMcasts                      # Silently Drop multicast packets
 dropNotSyn		        # Silently Drop Non-syn TCP packets
 rejNotSyn		        # Silently Reject Non-syn TCP packets
 ?endif
@ -23,7 +25,7 @@ AllowICMPs   	                # Accept needed ICMP6 types
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
-Broadcast    noinline      	# Handles Broadcast/Multicast/Anycast
+Broadcast    noinline      	# Handles Broadcast/Anycast
 Drop		        	# Default Action for DROP policy (deprecated)
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropDNSrep   inline		# Drops DNS replies
@ -33,6 +35,7 @@ Established  inline,\		# Handles packets in the ESTABLISHED state
 IfEvent      noinline           # Perform an action based on an event
 Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
             state=INVALID
 Multicast    noinline      	# Handles Multicast
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
 Reject		        	# Default Action for REJECT policy (deprecated)
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@ -107,11 +107,11 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP)s,dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP)"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@ -299,7 +299,17 @@ ACCEPT   -              -               tcp     135,139,445</programlisting>
        <term>Broadcast[(<replaceable>disposition</replaceable>)]</term>
        <listitem>
-          <para>Handles broadcasts and multicasts based on the
+          <para>Handles broadcasts based on the
          <replaceable>disposition</replaceable>. The default
          <replaceable>disposition</replaceable> is DROP.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Multicast[(<replaceable>disposition</replaceable>)]</term>
        <listitem>
          <para>Handles multicasts based on the
          <replaceable>disposition</replaceable>. The default
          <replaceable>disposition</replaceable> is DROP.</para>
        </listitem>
@ -340,6 +350,27 @@ ACCEPT   -              -               tcp     135,139,445</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>The recommended settings for the 6 policy actions for IPv4 are:
    </para>
    <programlisting>        ACCEPT_DEFAULT=none
        BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
        DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
        NFQUEUE_DEFAULT=none
        QUEUE_DEFAULT=none
        REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 </programlisting>
    <para>The recommended settings for IPv6 are:</para>
    <programlisting>        ACCEPT_DEFAULT=none
        BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
        DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
        NFQUEUE_DEFAULT=none
        QUEUE_DEFAULT=none
        REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 </programlisting>
  </section>
  <section id="Defining">