From 41c7c8f92305641ca6e563dfdfda4337fd2db2de Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 27 Jun 2012 15:16:16 -0700 Subject: [PATCH] Make the Invalid Drop rules uniform across sample files. Signed-off-by: Tom Eastep --- Shorewall/Samples/Universal/rules | 2 +- Shorewall/Samples/one-interface/rules | 4 ++++ Shorewall/Samples/three-interfaces/rules | 2 +- Shorewall/Samples/two-interfaces/rules | 2 +- Shorewall6/Samples6/Universal/rules | 1 + Shorewall6/Samples6/one-interface/rules | 4 ++++ Shorewall6/Samples6/three-interfaces/rules | 2 +- Shorewall6/Samples6/two-interfaces/rules | 2 +- 8 files changed, 14 insertions(+), 5 deletions(-) diff --git a/Shorewall/Samples/Universal/rules b/Shorewall/Samples/Universal/rules index 6d5680f0e..9d6a22962 100644 --- a/Shorewall/Samples/Universal/rules +++ b/Shorewall/Samples/Universal/rules @@ -13,6 +13,6 @@ #SECTION ESTABLISHED #SECTION RELATED SECTION NEW - +Invalid(DROP) net $FW tcp SSH(ACCEPT) net $FW Ping(ACCEPT) net $FW diff --git a/Shorewall/Samples/one-interface/rules b/Shorewall/Samples/one-interface/rules index 3dfaf2c8e..e2f07c175 100644 --- a/Shorewall/Samples/one-interface/rules +++ b/Shorewall/Samples/one-interface/rules @@ -18,6 +18,10 @@ #SECTION RELATED SECTION NEW +# Drop packets in the INVALID state + +Invalid(DROP) net $FW tcp + # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. Ping(DROP) net $FW diff --git a/Shorewall/Samples/three-interfaces/rules b/Shorewall/Samples/three-interfaces/rules index 1fe59b6f5..5b6e2ba14 100644 --- a/Shorewall/Samples/three-interfaces/rules +++ b/Shorewall/Samples/three-interfaces/rules @@ -20,7 +20,7 @@ SECTION NEW # Don't allow connection pickup from the net # -Invalid(DROP) net all +Invalid(DROP) net all tcp # # Accept DNS connections from the firewall to the Internet # diff --git a/Shorewall/Samples/two-interfaces/rules b/Shorewall/Samples/two-interfaces/rules index f6d39320f..1643973b5 100644 --- a/Shorewall/Samples/two-interfaces/rules +++ b/Shorewall/Samples/two-interfaces/rules @@ -20,7 +20,7 @@ SECTION NEW # Don't allow connection pickup from the net # -Invalid(DROP) net all +Invalid(DROP) net all tcp # # Accept DNS connections from the firewall to the network # diff --git a/Shorewall6/Samples6/Universal/rules b/Shorewall6/Samples6/Universal/rules index 5ae7cfbad..7c1919dba 100644 --- a/Shorewall6/Samples6/Universal/rules +++ b/Shorewall6/Samples6/Universal/rules @@ -14,5 +14,6 @@ #SECTION RELATED SECTION NEW +Invalid(DROP) net $FW tcp SSH(ACCEPT) net $FW Ping(ACCEPT) net $FW diff --git a/Shorewall6/Samples6/one-interface/rules b/Shorewall6/Samples6/one-interface/rules index e051f8e01..e96481094 100644 --- a/Shorewall6/Samples6/one-interface/rules +++ b/Shorewall6/Samples6/one-interface/rules @@ -18,6 +18,10 @@ #SECTION RELATED SECTION NEW +# Drop packets in the INVALID state + +Invalid(DROP) net $FW tcp + # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. Ping(DROP) net $FW diff --git a/Shorewall6/Samples6/three-interfaces/rules b/Shorewall6/Samples6/three-interfaces/rules index a8a8d2979..146da6ca3 100644 --- a/Shorewall6/Samples6/three-interfaces/rules +++ b/Shorewall6/Samples6/three-interfaces/rules @@ -20,7 +20,7 @@ SECTION NEW # Don't allow connection pickup from the net # -Invalid(DROP) net all +Invalid(DROP) net all tcp # # Accept DNS connections from the firewall to the Internet # diff --git a/Shorewall6/Samples6/two-interfaces/rules b/Shorewall6/Samples6/two-interfaces/rules index 2e95245eb..6eb06ac76 100644 --- a/Shorewall6/Samples6/two-interfaces/rules +++ b/Shorewall6/Samples6/two-interfaces/rules @@ -20,7 +20,7 @@ SECTION NEW # Don't allow connection pickup from the net # -Invalid(DROP) net all +Invalid(DROP) net all tcp # # Accept DNS connections from the firewall to the network #