diff --git a/Shorewall/Actions/action.dropBcasts b/Shorewall/Actions/action.dropBcasts new file mode 100644 index 000000000..8ffb34cfe --- /dev/null +++ b/Shorewall/Actions/action.dropBcasts @@ -0,0 +1,39 @@ +# +# Shorewall -- /usr/share/shorewall/action.dropBcasts +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 2017 Tom Eastep (teastep@shorewall.net) +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# dropBcasts[([audit])] +# +############################################################################### + +DEFAULTS - + +?if passed(@1) + ?if @1 eq 'audit' + ?require AUDIT_TARGET + Broadcast(A_DROP) + ?else + ?error "Invalid argument (@1) to dropBcasts" + ?endif +?else + Broadcast(DROP) +?endif + diff --git a/Shorewall/actions.std b/Shorewall/actions.std index 96975a2c9..cec2a7837 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -25,6 +25,7 @@ Broadcast noinline,audit # Handles Broadcast/Anycast DNSAmp # Matches one-question recursive DNS queries Drop # Default Action for DROP policy (deprecated) dropBcast inline # Silently Drop Broadcast +dropBcasts inline # Silently Drop Broadcast dropInvalid inline # Drops packets in the INVALID conntrack state dropMcast inline # Silently Drop Multicast dropNotSyn noinline # Silently Drop Non-syn TCP packets diff --git a/Shorewall6/actions.std b/Shorewall6/actions.std index f2c00e5b6..922ee8de1 100644 --- a/Shorewall6/actions.std +++ b/Shorewall6/actions.std @@ -21,6 +21,7 @@ BLACKLIST logjump,section # Add sender to the dynamic blacklist Broadcast noinline # Handles Broadcast/Anycast Drop # Default Action for DROP policy (deprecated) dropBcast inline # Silently Drop Broadcast +dropBcasts inline # Silently Drop Broadcast dropInvalid inline # Drops packets in the INVALID conntrack state dropMcast inline # Silently Drop Multicast dropNotSyn noinline # Silently Drop Non-syn TCP packets