Add AllowICMPs action and invoke from Drop and Reject

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1666 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-02-23 13:11:36 +01:00 · 2004-10-07 22:56:35 +00:00 · 2004-10-07 22:56:35 +00:00 · aeb3d2cea2
commit aeb3d2cea2
parent 31f0b2dc68
7 changed files with 91 additions and 8 deletions
--- a/Shorewall2/action.AllowICMPs
+++ b/Shorewall2/action.AllowICMPs
@ -0,0 +1,11 @@
 #
 # Shorewall 2.1 /usr/share/shorewall/action.AllowICMPs
 #
 #	ACCEPT needed ICMP types
 #
 ######################################################################################
 #TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
 #                       	        	PORT    PORT(S)		LIMIT	GROUP
 #
 ACCEPT	-		-		icmp	fragmentation-needed
 ACCEPT	-		-		icmp	time-exceeded
--- a/Shorewall2/action.Drop
+++ b/Shorewall2/action.Drop
@ -3,14 +3,47 @@
 #
 #	The default DROP common rules
 #
 # This action is invoked before a DROP policy is enforced. The purpose of the action
 # is:
 #
 #	a) Avoid logging lots of useless cruft. 
 #	b) Ensure that 'auth' requests are rejected, even if the policy is DROP.
 #	   Otherwise, you may experience problems establishing connections with
 #	   servers that use auth.
 #       c) Ensure that certain ICMP packets that are necessary for successful 
 #	   internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
 ######################################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#TARGET  	SOURCE		DEST      	PROTO
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#
 # Reject 'auth'
 #
 RejectAuth
 #
 # Don't log broadcasts
 #
 dropBcast
 #
 # ACCEPT critical ICMP types
 #
 AllowICMPs	-		-		icmp
 #
 # Drop packets that in the INVALID state -- these are usually ICMP packets and just
 # confuse people when they appear in the log.
 #
 dropInvalid
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 DropSMB
 DropUPnP
-dropNotSyn
+#
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn	-		-		tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
 #
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall2/action.Reject
+++ b/Shorewall2/action.Reject
@ -3,14 +3,44 @@
 #
 #	The default REJECT action common rules
 #
 # This action is invoked before a REJECT policy is enforced. The purpose of the action
 # is:
 #
 #	a) Avoid logging lots of useless cruft. 
 #       b) Ensure that certain ICMP packets that are necessary for successful 
 #	   internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
 ######################################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#TARGET  	SOURCE		DEST      	PROTO
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#
 # Don't log 'auth' REJECT
 #
 RejectAuth
 #
 # Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected).
 #
 dropBcast
 #
 # ACCEPT critical ICMP types
 #
 AllowICMPs	-		-		icmp
 #
 # Drop packets that in the INVALID state -- these are usually ICMP packets and just
 # confuse people when they appear in the log (these ICMPs cannot be rejected).
 #
 dropInvalid
 #
 # Drop Microsoft noise so that it doesn't clutter up the lot.
 #
 RejectSMB
 DropUPnP
-dropNotSyn
+#
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn	-		-		tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
 #
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall2/actions.std
+++ b/Shorewall2/actions.std
@ -32,6 +32,7 @@ AllowSMB	#Allow MS Networking
 AllowAuth	#Allow Auth (identd)
 AllowSMTP	#Allow SMTP (Email)
 AllowPOP3	#Allow reading mail via POP3
 AllowICMPs	#Allows critical ICMP types
 AllowIMAP	#Allow reading mail via IMAP
 AllowTelnet	#Allow Telnet Access (not recommended for use over the
 		#Internet)
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -92,6 +92,8 @@ Changes since 2.0.3
 44) Implememt LOGTAGONLY.
-46) Merge 'tcrules' clarification from 2.0.10.
+45) Merge 'tcrules' clarification from 2.0.10.
 46) Implement 'sourceroute' interface option.
 47) Add 'icmps' action.
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -520,4 +520,9 @@ New Features:
    interfaces. If you wish to accept source routing on an interface,
    you must specify the new 'sourceroute' interface option in
    /etc/shorewall/interfaces.
- 
+
 20) The default Drop and Reject actions now invoke the new standard
    action 'AllowICMPs'. This new action accepts critical ICMP types:
 	Type 3 code 4 (fragmentation needed)
 	Type 11       (TTL exceeded)
--- a/Shorewall2/shorewall.spec
+++ b/Shorewall2/shorewall.spec
@ -101,6 +101,7 @@ fi
 %attr(0600,root,root) /usr/share/shorewall/action.AllowAuth
 %attr(0600,root,root) /usr/share/shorewall/action.AllowDNS
 %attr(0600,root,root) /usr/share/shorewall/action.AllowFTP
 %attr(0600,root,root) /usr/share/shorewall/action.AllowICMPs
 %attr(0600,root,root) /usr/share/shorewall/action.AllowIMAP
 %attr(0600,root,root) /usr/share/shorewall/action.AllowNNTP
 %attr(0600,root,root) /usr/share/shorewall/action.AllowNTP