Don't feed the smurfs

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1093 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-14 19:54:06 +01:00 · 2004-01-27 22:33:32 +00:00 · 2004-01-27 22:33:32 +00:00 · b4d0cbd1b1
commit b4d0cbd1b1
parent 3a82d46762
3 changed files with 25 additions and 11 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -10,3 +10,8 @@ Changes since 1.4.9
   ADD_SNAT_ALIASES=Yes.

 5) Implement "detectnets" option.
+
+6) Correct the CONTINUE target and fix a couple of bugs in rate
+   limiting (with an assist from Steven Jan Springl).
+
+7) Silently drop smurfs and broadcasts in the 'reject' chain.
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -4443,23 +4443,27 @@ build_common_chain() {
 #
 add_common_rules() {
    local savelogparms="$LOGPARMS"
+    local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
    #
-    # Reject Rules
-    #
-    run_iptables -A reject -p tcp  -j REJECT --reject-with tcp-reset
-    #
-    # Don't respond to broadcasts with an ICMP
+    # Reject Rules -- Don't respond to broadcasts with an ICMP
    #
    qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
    if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
-	run_iptables -A reject -d 255.255.255.255 -j DROP
-	run_iptables -A reject -d 224.0.0.0/4     -j DROP
-    
-	for address in $(find_broadcasts) ; do
+	#
+	# No pkttype support -- do it the hard way
+	#
+	for address in $broadcasts ; do
 	    run_iptables -A reject -d $address -j DROP
 	done
    fi
-
+    #
+    # Don't feed the smurfs
+    #
+    for address in $broadcasts ; do
+	run_iptables -A reject -s $address -j DROP
+    done
+    
+    run_iptables -A reject -p tcp  -j REJECT --reject-with tcp-reset
    run_iptables -A reject -p udp  -j REJECT
    #
    # Not all versions of iptables support these so don't complain if they don't work
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -9,7 +9,12 @@ Problems Corrected since version 1.4.9:
   during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are
   specified in /etc/shorewall/shorewall.conf.

-3. Shorewall now tried to avoid sending an ICMP response to broadcasts.
+3. The CONTINUE action in /etc/shorewall/rules now works correctly. A
+   couple of problems involving rate limiting have been
+   corrected. These bug fixes courtesy of Steven Jan Springl.
+
+4. Shorewall now tried to avoid sending an ICMP response to broadcasts
+   and smurfs.

 Migration Issues: