From bc6a38ca6489468ac683709ef47ec1149ff3748f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 14 May 2013 10:44:26 -0700 Subject: [PATCH] Remove most special handling of 'Auth'. Signed-off-by: Tom Eastep --- Shorewall/action.A_Drop | 4 ++-- Shorewall/action.A_Reject | 4 ---- Shorewall/action.Drop | 13 +++++++------ Shorewall/action.Reject | 11 ++++++----- 4 files changed, 15 insertions(+), 17 deletions(-) diff --git a/Shorewall/action.A_Drop b/Shorewall/action.A_Drop index bd60bb0aa..90eb07a9c 100644 --- a/Shorewall/action.A_Drop +++ b/Shorewall/action.A_Drop @@ -24,9 +24,9 @@ # COUNT # -# Reject 'auth' +# Silently DROP 'auth' # -Auth(A_REJECT) +Auth(A_DROP) # # Don't log broadcasts # diff --git a/Shorewall/action.A_Reject b/Shorewall/action.A_Reject index 845c9ed05..7f1764612 100644 --- a/Shorewall/action.A_Reject +++ b/Shorewall/action.A_Reject @@ -20,10 +20,6 @@ # COUNT # -# Don't log 'auth' -- REJECT -# -Auth(A_REJECT) -# # Drop Broadcasts so they don't clutter up the log # (broadcasts must *not* be rejected). # diff --git a/Shorewall/action.Drop b/Shorewall/action.Drop index 30d2874cd..abd945c97 100644 --- a/Shorewall/action.Drop +++ b/Shorewall/action.Drop @@ -9,7 +9,7 @@ # of the action is: # # a) Avoid logging lots of useless cruft. -# b) Ensure that 'auth' requests are rejected, even if the policy is +# b) Allow 'auth' requests rejected rejected, even if the policy is # DROP. Otherwise, you may experience problems establishing # connections with servers that use auth. # c) Ensure that certain ICMP packets that are necessary for successful @@ -19,8 +19,8 @@ # # 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin # actions. -# 2 - Action to take with Auth requests. Default is REJECT or A_REJECT, -# depending on the setting of the first parameter. +# 2 - Action to take with Auth requests. Default is to do nothing special +# with them. # 3 - Action to take with SMB requests. Default is DROP or A_DROP, # depending on the setting of the first parameter. # 4 - Action to take with required ICMP packets. Default is ACCEPT or @@ -43,7 +43,6 @@ my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 ); if ( defined $p1 ) { if ( $p1 eq 'audit' ) { - set_action_param( 2, 'A_REJECT') unless supplied $p2; set_action_param( 3, 'A_DROP') unless supplied $p3; set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4; set_action_param( 5, 'A_DROP' ) unless supplied $p5; @@ -56,7 +55,7 @@ if ( defined $p1 ) { ?END PERL; -DEFAULTS -,REJECT,DROP,ACCEPT,DROP +DEFAULTS -,-,DROP,ACCEPT,DROP #TARGET SOURCE DEST PROTO DPORT SPORT # @@ -64,9 +63,11 @@ DEFAULTS -,REJECT,DROP,ACCEPT,DROP # COUNT # -# Reject 'auth' +# Special Handling for Auth # +?if @2 ne '-' Auth(@2) +?endif # # Don't log broadcasts # diff --git a/Shorewall/action.Reject b/Shorewall/action.Reject index d3c7dcc9a..d94033e65 100644 --- a/Shorewall/action.Reject +++ b/Shorewall/action.Reject @@ -16,8 +16,8 @@ # # 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin # actions. -# 2 - Action to take with Auth requests. Default is REJECT or A_REJECT, -# depending on the setting of the first parameter. +# 2 - Action to take with Auth requests. Default is to do nothing +# special with them. # 3 - Action to take with SMB requests. Default is REJECT or A_REJECT, # depending on the setting of the first parameter. # 4 - Action to take with required ICMP packets. Default is ACCEPT or @@ -39,7 +39,6 @@ my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 ); if ( defined $p1 ) { if ( $p1 eq 'audit' ) { - set_action_param( 2, 'A_REJECT') unless supplied $p2; set_action_param( 3, 'A_REJECT') unless supplied $p3; set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4; set_action_param( 5, 'A_DROP' ) unless supplied $p5; @@ -52,7 +51,7 @@ if ( defined $p1 ) { ?END PERL; -DEFAULTS -,REJECT,REJECT,ACCEPT,DROP +DEFAULTS -,-,REJECT,ACCEPT,DROP #TARGET SOURCE DEST PROTO # @@ -60,9 +59,11 @@ DEFAULTS -,REJECT,REJECT,ACCEPT,DROP # COUNT # -# Don't log 'auth' -- REJECT +# Special handling for Auth # +?if @2 ne '-' Auth(@2) +?endif # # Drop Broadcasts so they don't clutter up the log # (broadcasts must *not* be rejected).