From c5b38de69c3eafd8e2328c67bf1f8d4bfb488fc3 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 24 May 2011 07:17:25 -0700 Subject: [PATCH] Add Audited Standard IPv6 Default Actions Signed-off-by: Tom Eastep --- Shorewall6/action.AAllowICMPs | 40 +++++++++++++++++++++++++++ Shorewall6/action.ADrop | 52 +++++++++++++++++++++++++++++++++++ Shorewall6/action.AReject | 50 +++++++++++++++++++++++++++++++++ Shorewall6/actions.std | 3 ++ 4 files changed, 145 insertions(+) create mode 100644 Shorewall6/action.AAllowICMPs create mode 100644 Shorewall6/action.ADrop create mode 100644 Shorewall6/action.AReject diff --git a/Shorewall6/action.AAllowICMPs b/Shorewall6/action.AAllowICMPs new file mode 100644 index 000000000..de39e787f --- /dev/null +++ b/Shorewall6/action.AAllowICMPs @@ -0,0 +1,40 @@ +# +# Shorewall6 version 4 - Audited AllowICMPs Action +# +# /usr/share/shorewall6/action.AAllowICMPs +# +# This action A_ACCEPTs needed ICMP types +# +############################################################################### +#TARGET SOURCE DEST PROTO DEST +# PORT(S) +COMMENT Needed ICMP types (RFC4890) + +A_ACCEPT - - ipv6-icmp destination-unreachable +A_ACCEPT - - ipv6-icmp packet-too-big +A_ACCEPT - - ipv6-icmp time-exceeded +A_ACCEPT - - ipv6-icmp parameter-problem + +# The following should have a ttl of 255 and must be allowed to transit a bridge +A_ACCEPT - - ipv6-icmp router-solicitation +A_ACCEPT - - ipv6-icmp router-advertisement +A_ACCEPT - - ipv6-icmp neighbour-solicitation +A_ACCEPT - - ipv6-icmp neighbour-advertisement +A_ACCEPT - - ipv6-icmp 137 # Redirect +A_ACCEPT - - ipv6-icmp 141 # Inverse neighbour discovery solicitation +A_ACCEPT - - ipv6-icmp 142 # Inverse neighbour discovery advertisement + +# The following should have a link local source address and must be allowed to transit a bridge +A_ACCEPT fe80::/10 - ipv6-icmp 130 # Listener query +A_ACCEPT fe80::/10 - ipv6-icmp 131 # Listener report +A_ACCEPT fe80::/10 - ipv6-icmp 132 # Listener done +A_ACCEPT fe80::/10 - ipv6-icmp 143 # Listener report v2 + +# The following should be received with a ttl of 255 and must be allowed to transit a bridge +A_ACCEPT - - ipv6-icmp 148 # Certificate path solicitation +A_ACCEPT - - ipv6-icmp 149 # Certificate path advertisement + +# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge +A_ACCEPT fe80::/10 - ipv6-icmp 151 # Multicast router advertisement +A_ACCEPT fe80::/10 - ipv6-icmp 152 # Multicast router solicitation +A_ACCEPT fe80::/10 - ipv6-icmp 153 # Multicast router termination diff --git a/Shorewall6/action.ADrop b/Shorewall6/action.ADrop new file mode 100644 index 000000000..368b34075 --- /dev/null +++ b/Shorewall6/action.ADrop @@ -0,0 +1,52 @@ +# +# Shorewall6 version 4 - Audited Drop Action +# +# /usr/share/shorewall6/action.ADrop +# +# The Audited default DROP common rules +# +# This action is invoked before a DROP policy is enforced. The purpose +# of the action is: +# +# a) Avoid logging lots of useless cruft. +# b) Ensure that 'auth' requests are rejected, even if the policy is +# DROP. Otherwise, you may experience problems establishing +# connections with servers that use auth. +# c) Ensure that certain ICMP packets that are necessary for successful +# internet operation are always ACCEPTed. +# +# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! +# +############################################################################### +#TARGET SOURCE DEST PROTO DPORT SPORT +# +# Reject 'auth' +# +Auth(A_REJECT) +# +# ACCEPT critical ICMP types +# +AAllowICMPs - - ipv6-icmp +# +# Drop Broadcasts so they don't clutter up the log +# (broadcasts must *not* be rejected). +# +dropBcast(audit) +# +# Drop packets that are in the INVALID state -- these are usually ICMP packets +# and just confuse people when they appear in the log. +# +dropInvalid(audit) +# +# Drop Microsoft noise so that it doesn't clutter up the log. +# +SMB(A_DROP) +# +# Drop 'newnotsyn' traffic so that it doesn't get logged. +# +dropNotSyn(audit) - - tcp +# +# Drop late-arriving DNS replies. These are just a nuisance and clutter up +# the log. +# +ADropDNSrep diff --git a/Shorewall6/action.AReject b/Shorewall6/action.AReject new file mode 100644 index 000000000..606a360f3 --- /dev/null +++ b/Shorewall6/action.AReject @@ -0,0 +1,50 @@ +# +# Shorewall6 version 4 - Audited Reject Action +# +# /usr/share/shorewall6/action.AReject +# +# The audited default REJECT action common rules +# +# This action is invoked before a REJECT policy is enforced. The purpose +# of the action is: +# +# a) Avoid logging lots of useless cruft. +# b) Ensure that certain ICMP packets that are necessary for successful +# internet operation are always ACCEPTed. +# +# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! +############################################################################### +#TARGET SOURCE DEST PROTO +# +# Don't log 'auth' -- REJECT +# +Auth(A_REJECT) +# +# Drop Multicasts so they don't clutter up the log +# (broadcasts must *not* be rejected). +# +AAllowICMPs - - ipv6-icmp +# +# Drop Broadcasts so they don't clutter up the log +# (broadcasts must *not* be rejected). +# +dropBcast(audit) +# +# Drop packets that are in the INVALID state -- these are usually ICMP packets +# and just confuse people when they appear in the log (these ICMPs cannot be +# rejected). +# +dropInvalid(audit) +# +# Reject Microsoft noise so that it doesn't clutter up the log. +# +SMB(A_REJECT) +# +# Drop 'newnotsyn' traffic so that it doesn't get logged. +# +dropNotSyn(audit) - - tcp +# +# Drop late-arriving DNS replies. These are just a nuisance and clutter up +# the log. +# +ADropDNSrep diff --git a/Shorewall6/actions.std b/Shorewall6/actions.std index ff318e4e6..68d623a24 100644 --- a/Shorewall6/actions.std +++ b/Shorewall6/actions.std @@ -19,6 +19,9 @@ # ############################################################################### #ACTION +ADrop # Audited Default Action for DROP policy +AReject # Audited Default Action for REJECT policy +AAllowICMPs # Audited Accept needed ICMP6 types AllowICMPs # Accept needed ICMP6 types Drop # Default Action for DROP policy Reject # Default Action for REJECT policy