diff --git a/Shorewall/action.Drop b/Shorewall/action.Drop index 4b9318f95..8894c12c1 100644 --- a/Shorewall/action.Drop +++ b/Shorewall/action.Drop @@ -29,7 +29,7 @@ # ############################################################################### -if @1 ne '' && @1 ne '-' +?if @1 ne '' && @1 ne '-' ?if @1 eq 'audit' DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP ?else diff --git a/Shorewall/action.NotSyn b/Shorewall/action.NotSyn index c5d1cbe3d..2de26f534 100644 --- a/Shorewall/action.NotSyn +++ b/Shorewall/action.NotSyn @@ -1,14 +1,52 @@ # -# Shorewall - NotSyn Action +# Shorewall 4 - NotSyn Action # # /usr/share/shorewall/action.NotSyn # +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 2011 - Tom Eastep (teastep@shorewall.net) +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# # NotSyn[([])] # # Default action is DROP # ########################################################################################## -DEFAULTS DROP +DEFAULTS DROP,- -@1 - - tcp ;; ! --syn +?begin perl; + +use strict; +use Shorewall::IPAddrs; +use Shorewall::Config; +use Shorewall::Chains; +use Shorewall::Rules; + +my ( $action, $audit ) = get_action_params( 2 ); + +if ( supplied $audit ) { + fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit'; + $action = "A_$action"; +} + +perl_action_tcp_helper( $action, '-p 6 ! --syn' ); + +1; + +?end perl; diff --git a/Shorewall/action.RST b/Shorewall/action.RST index e77807ab7..6e50d1f1a 100644 --- a/Shorewall/action.RST +++ b/Shorewall/action.RST @@ -3,12 +3,48 @@ # # /usr/share/shorewall/action.RST # +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 2012 - Tom Eastep (teastep@shorewall.net) +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# # RST[([])] # # Default action is DROP # ########################################################################################## -DEFAULTS DROP +DEFAULTS DROP,- -@1 - - tcp ;; --tcp-flags RST RST +?begin perl; + +use Shorewall::Config; +use Shorewall::Chains; +use Shorewall::Rules; + +my ( $action, $audit ) = get_action_params( 2 ); + +if ( supplied $audit ) { + fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit'; + $action = "A_$action"; +} + +perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' ); + +1; + +?end perl; diff --git a/Shorewall/action.TCPFlags b/Shorewall/action.TCPFlags index 03e6a699f..4200882d5 100644 --- a/Shorewall/action.TCPFlags +++ b/Shorewall/action.TCPFlags @@ -10,20 +10,32 @@ # ################################################################################# -?if @1 ne '-' && @1 ne '' - ?if @1 eq 'audit' -DEFAULTS A_DROP - ?else - ?error "The first parameter to TCPFlags must be 'audit' or '-' - ?endif -?else -DEFAULTS DROP -?endif +DEFAULTS - + +?begin perl; +use strict; +use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6); +use Shorewall::Chains; +use Shorewall::Rules; + +my $action = 'DROP'; + +my ( $audit ) = get_action_params( 1 ); + +if ( supplied $audit ) { + fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit'; + $action = "A_DROP"; +} + +perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' ); +perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL NONE' ); +perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' ); +perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' ); +perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' ); + +?end perl; + + -@1 - - tcp ;; --tcp-flags ALL FIN,URG,PSH -@1 - - tcp ;; --tcp-flags ALL NONE -@1 - - tcp ;; --tcp-flags SYN,RST SYN,RST -@1 - - tcp ;; --tcp-flags SYN,FIN SYN,FIN -@1 - - tcp ;; --syn --sport 0