2002-08-07 16:28:04 +02:00
|
|
|
############################################################################
|
2003-03-18 16:16:33 +01:00
|
|
|
# Shorewall 1.4 -- /etc/shorewall/common.def
|
2002-08-07 16:28:04 +02:00
|
|
|
#
|
2003-03-18 16:16:33 +01:00
|
|
|
# This file defines the rules that are applied before a policy of
|
2002-08-07 16:28:04 +02:00
|
|
|
# DROP or REJECT is applied. In addition to the rules defined in this file,
|
|
|
|
# the firewall will also define a DROP rule for each subnet broadcast
|
|
|
|
# address defined in /etc/shorewall/interfaces (including "detect").
|
|
|
|
#
|
|
|
|
# Do not modify this file -- if you wish to change these rules, create
|
|
|
|
# /etc/shorewall/common to replace it. It is suggested that you include
|
2002-08-22 23:33:54 +02:00
|
|
|
# the command ". /etc/shorewall/common.def" in your
|
2002-08-07 16:28:04 +02:00
|
|
|
# /etc/shorewall/common file so that you will continue to get the
|
|
|
|
# advantage of new releases of this file.
|
|
|
|
#
|
|
|
|
run_iptables -A common -p icmp -j icmpdef
|
|
|
|
############################################################################
|
|
|
|
# NETBIOS chatter
|
|
|
|
#
|
|
|
|
run_iptables -A common -p udp --dport 137:139 -j REJECT
|
|
|
|
run_iptables -A common -p udp --dport 445 -j REJECT
|
2003-03-18 16:16:33 +01:00
|
|
|
run_iptables -A common -p tcp --dport 139 -j REJECT
|
|
|
|
run_iptables -A common -p tcp --dport 445 -j REJECT
|
2002-08-07 16:28:04 +02:00
|
|
|
run_iptables -A common -p tcp --dport 135 -j reject
|
|
|
|
############################################################################
|
|
|
|
# UPnP
|
|
|
|
#
|
|
|
|
run_iptables -A common -p udp --dport 1900 -j DROP
|
|
|
|
############################################################################
|
|
|
|
# BROADCASTS
|
|
|
|
#
|
|
|
|
run_iptables -A common -d 255.255.255.255 -j DROP
|
|
|
|
run_iptables -A common -d 224.0.0.0/4 -j DROP
|
|
|
|
############################################################################
|
|
|
|
# AUTH -- Silently reject it so that connections don't get delayed.
|
|
|
|
#
|
|
|
|
run_iptables -A common -p tcp --dport 113 -j reject
|
2003-03-18 16:16:33 +01:00
|
|
|
############################################################################
|
|
|
|
# DNS -- Silenty drop late replies
|
|
|
|
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
|
|
|
|
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
|
|
|