From 2cfe94c879d7e68b873a3303c529584f03f045d8 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 6 Apr 2008 22:46:53 +0000 Subject: [PATCH] Don't respond to IGMP with an ICMP git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8396 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-perl/Shorewall/Rules.pm | 7 ++++--- Shorewall-shell/compiler | 5 +++++ 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index cbfe9e86e..387c29cb0 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -564,11 +564,12 @@ sub add_common_rules() { } } - add_rule $rejectref , '-p tcp -j REJECT --reject-with tcp-reset'; + add_rule $rejectref , '-p 2 -j DROP'; + add_rule $rejectref , '-p 6 -j REJECT --reject-with tcp-reset'; if ( $capabilities{ENHANCED_REJECT} ) { - add_rule $rejectref , '-p udp -j REJECT'; - add_rule $rejectref, '-p icmp -j REJECT --reject-with icmp-host-unreachable'; + add_rule $rejectref , '-p 17 -j REJECT'; + add_rule $rejectref, '-p 1 -j REJECT --reject-with icmp-host-unreachable'; add_rule $rejectref, '-j REJECT --reject-with icmp-host-prohibited'; } else { add_rule $rejectref , '-j REJECT'; diff --git a/Shorewall-shell/compiler b/Shorewall-shell/compiler index 5606597d7..a0e8aea4a 100755 --- a/Shorewall-shell/compiler +++ b/Shorewall-shell/compiler @@ -3644,6 +3644,11 @@ __EOF__ run_iptables -A reject -s $address -j DROP done + # + # Don't respond to IGMP with an ICMP + # + run_iptables -A reject -p 2 -j DROP + run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset run_iptables -A reject -p udp -j REJECT #