Adjust .conf files

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2017-02-11 13:41:28 -08:00 · 2017-02-11 13:41:28 -08:00 · 8c9fb501fd
commit 8c9fb501fd
parent 977fa81d46
11 changed files with 28 additions and 27 deletions
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@ -108,11 +108,11 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
-DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="Broadcast(DROP),dropInvalid:$LOG,dropNotSyn:$LOG,DropDNSrep:$LOG"
+DROP_DEFAULT="Broadcast(DROP)"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
-REJECT_DEFAULT="dropBcast,dropInvalid:$LOG"
+REJECT_DEFAULT="Broadcast(DROP)"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@ -119,11 +119,11 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
-DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="Broadcast(DROP),dropInvalid:$LOG,dropNotSyn:$LOG,DropDNSrep:$LOG"
+DROP_DEFAULT="Broadcast(DROP)"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
-REJECT_DEFAULT="dropBcast,dropInvalid:$LOG"
+REJECT_DEFAULT="Broadcast(DROP)"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@ -116,11 +116,11 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
-DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="Broadcast(DROP),dropInvalid:$LOG,dropNotSyn:$LOG,DropDNSrep:$LOG"
+DROP_DEFAULT="Broadcast(DROP),dropInvalid:$LOG,dropNotSyn:$LOG"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
-REJECT_DEFAULT="dropBcast,dropInvalid:$LOG"
+REJECT_DEFAULT="Broadcast(DROP),dropInvalid:$LOG"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@ -119,11 +119,11 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
-DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="Broadcast(DROP),dropInvalid:$LOG,dropNotSyn:$LOG,DropDNSrep:$LOG"
+DROP_DEFAULT="Broadcast(DROP)"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
-REJECT_DEFAULT="dropBcast,dropInvalid:$LOG"
+REJECT_DEFAULT="Broadcast(DROP)"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@ -108,11 +108,11 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT=dropBcasts,dropNotSyn:$LOG,dropInvalid:$LOG
-DROP_DEFAULT=dropBcasts,dropNotSyn:$LOG,dropInvalid:$LOG
+BLACKLIST_DEFAULT="Broadcast(DROP),dropNotSyn:$LOG,dropInvalid:$LOG,DropDNSrep:$LOG"
+DROP_DEFAULT="Broadcast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT=dropBcasts,dropInvalid:$LOG
+REJECT_DEFAULT="Broadcast(DROP)"

 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@ -72,7 +72,7 @@ UNTRACKED_LOG_LEVEL=
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
+CONFIG_PATH=${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall

 GEOIPDIR=/usr/share/xt_geoip/LE

@ -105,8 +105,8 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG,DropDNSrep:$LOG"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
 REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@ -106,8 +106,8 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG,DropDNSrep:$LOG"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
 REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@ -105,8 +105,8 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG,DropDNSrep:$LOG"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
 REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@ -105,8 +105,8 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG,DropDNSrep:$LOG"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
 REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@ -26,6 +26,7 @@ AutoBLL      noinline           # Helper for AutoBL
 Broadcast    noinline      	# Handles Broadcast/Multicast/Anycast
 Drop		        	# Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
+DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@ -105,11 +105,11 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
-DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP)s,dropNotSyn:$LOG,DropDNSrep:$LOG"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT=AllowICMPs,dropBcasts
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"

 ###############################################################################
 #			 R S H / R C P	C O M M A N D S