Add Audited Standard IPv6 Default Actions

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-22 15:43:30 +01:00 · 2011-05-24 07:17:25 -07:00 · 2011-05-24 07:17:25 -07:00 · c5b38de69c
commit c5b38de69c
parent c333368243
4 changed files with 145 additions and 0 deletions
--- a/Shorewall6/action.AAllowICMPs
+++ b/Shorewall6/action.AAllowICMPs
@ -0,0 +1,40 @@
+#
+# Shorewall6 version 4 - Audited AllowICMPs Action
+#
+# /usr/share/shorewall6/action.AAllowICMPs
+#
+#	This action A_ACCEPTs needed ICMP types
+#
+###############################################################################
+#TARGET		SOURCE		DEST	PROTO		DEST
+#							PORT(S)	
+COMMENT Needed ICMP types (RFC4890)
+
+A_ACCEPT	-		-	ipv6-icmp	destination-unreachable
+A_ACCEPT	-		-	ipv6-icmp	packet-too-big
+A_ACCEPT	-		-	ipv6-icmp	time-exceeded
+A_ACCEPT	-		-	ipv6-icmp	parameter-problem
+
+# The following should have a ttl of 255 and must be allowed to transit a bridge
+A_ACCEPT	-		-	ipv6-icmp	router-solicitation
+A_ACCEPT	-		-	ipv6-icmp	router-advertisement
+A_ACCEPT	-		-	ipv6-icmp	neighbour-solicitation
+A_ACCEPT	-		-	ipv6-icmp	neighbour-advertisement
+A_ACCEPT	-		-	ipv6-icmp	137	# Redirect
+A_ACCEPT	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
+A_ACCEPT	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
+
+# The following should have a link local source address and must be allowed to transit a bridge
+A_ACCEPT	fe80::/10	-	ipv6-icmp	130	# Listener query
+A_ACCEPT	fe80::/10	-	ipv6-icmp	131	# Listener report
+A_ACCEPT	fe80::/10	-	ipv6-icmp	132	# Listener done
+A_ACCEPT	fe80::/10	-	ipv6-icmp	143	# Listener report v2
+
+# The following should be received with a ttl of 255 and must be allowed to transit a bridge
+A_ACCEPT	-		-	ipv6-icmp	148	# Certificate path solicitation
+A_ACCEPT	-		-	ipv6-icmp	149	# Certificate path advertisement
+
+# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
+A_ACCEPT	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
+A_ACCEPT	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
+A_ACCEPT	fe80::/10	-	ipv6-icmp	153	# Multicast router termination
--- a/Shorewall6/action.ADrop
+++ b/Shorewall6/action.ADrop
@ -0,0 +1,52 @@
+#
+# Shorewall6 version 4 - Audited Drop Action
+#
+# /usr/share/shorewall6/action.ADrop
+#
+#	The Audited default DROP common rules
+#
+#	This action is invoked before a DROP policy is enforced. The purpose
+#	of the action is:
+#
+#	a) Avoid logging lots of useless cruft.
+#	b) Ensure that 'auth' requests are rejected, even if the policy is
+#	   DROP. Otherwise, you may experience problems establishing
+#	   connections with servers that use auth.
+#	c) Ensure that certain ICMP packets that are necessary for successful
+#	   internet operation are always ACCEPTed.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+#
+###############################################################################
+#TARGET			SOURCE	DEST	PROTO	DPORT	SPORT
+#
+# Reject 'auth'
+#
+Auth(A_REJECT)
+#
+# ACCEPT critical ICMP types
+#
+AAllowICMPs		-	-	ipv6-icmp
+#
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+dropBcast(audit)
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log.
+#
+dropInvalid(audit)
+#
+# Drop Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(A_DROP)
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn(audit)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+ADropDNSrep
--- a/Shorewall6/action.AReject
+++ b/Shorewall6/action.AReject
@ -0,0 +1,50 @@
+#
+# Shorewall6 version 4 - Audited Reject Action
+#
+# /usr/share/shorewall6/action.AReject
+#
+#	The audited default REJECT action common rules
+#
+#	This action is invoked before a REJECT policy is enforced. The purpose
+#	of the action is:
+#
+#	a) Avoid logging lots of useless cruft.
+#	b) Ensure that certain ICMP packets that are necessary for successful
+#	   internet operation are always ACCEPTed.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+###############################################################################
+#TARGET			SOURCE	DEST	PROTO
+#
+# Don't log 'auth' -- REJECT
+#
+Auth(A_REJECT)
+#
+# Drop Multicasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+AAllowICMPs		-	-	ipv6-icmp
+#
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+dropBcast(audit)
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+dropInvalid(audit)
+#
+# Reject Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(A_REJECT)
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn(audit)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+ADropDNSrep
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@ -19,6 +19,9 @@
 #
 ###############################################################################
 #ACTION
+ADrop	            # Audited Default Action for DROP policy
+AReject	            # Audited Default Action for REJECT policy
+AAllowICMPs	    # Audited Accept needed ICMP6 types
 AllowICMPs	    # Accept needed ICMP6 types
 Drop		    # Default Action for DROP policy
 Reject		    # Default Action for REJECT policy