From 9a7f6512a1ad46c33ee329e345e3d0a40c6cc0ca Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 4 Apr 2016 15:58:39 -0700 Subject: [PATCH] Delete IPv6 actions that duplicate IPv4 actions Signed-off-by: Tom Eastep --- Shorewall6/action.A_Drop | 52 ------------------------- Shorewall6/action.A_Reject | 50 ------------------------ Shorewall6/action.Drop | 78 -------------------------------------- Shorewall6/action.Reject | 76 ------------------------------------- 4 files changed, 256 deletions(-) delete mode 100644 Shorewall6/action.A_Drop delete mode 100644 Shorewall6/action.A_Reject delete mode 100644 Shorewall6/action.Drop delete mode 100644 Shorewall6/action.Reject diff --git a/Shorewall6/action.A_Drop b/Shorewall6/action.A_Drop deleted file mode 100644 index cf11f69ea..000000000 --- a/Shorewall6/action.A_Drop +++ /dev/null @@ -1,52 +0,0 @@ -# -# Shorewall6 version 5 - Audited Drop Action -# -# /usr/share/shorewall6/action.ADrop -# -# The Audited default DROP common rules -# -# This action is invoked before a DROP policy is enforced. The purpose -# of the action is: -# -# a) Avoid logging lots of useless cruft. -# b) Ensure that 'auth' requests are rejected, even if the policy is -# DROP. Otherwise, you may experience problems establishing -# connections with servers that use auth. -# c) Ensure that certain ICMP packets that are necessary for successful -# internet operation are always ACCEPTed. -# -# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! -# -############################################################################### -#TARGET SOURCE DEST PROTO DPORT SPORT -# -# Reject 'auth' -# -Auth(A_REJECT) -# -# ACCEPT critical ICMP types -# -A_AllowICMPs - - ipv6-icmp -# -# Drop Broadcasts so they don't clutter up the log -# (broadcasts must *not* be rejected). -# -dropBcast(audit) -# -# Drop packets that are in the INVALID state -- these are usually ICMP packets -# and just confuse people when they appear in the log. -# -dropInvalid(audit) -# -# Drop Microsoft noise so that it doesn't clutter up the log. -# -SMB(A_DROP) -# -# Drop 'newnotsyn' traffic so that it doesn't get logged. -# -dropNotSyn(audit) - - tcp -# -# Drop late-arriving DNS replies. These are just a nuisance and clutter up -# the log. -# -A_DropDNSrep diff --git a/Shorewall6/action.A_Reject b/Shorewall6/action.A_Reject deleted file mode 100644 index 50ad35f86..000000000 --- a/Shorewall6/action.A_Reject +++ /dev/null @@ -1,50 +0,0 @@ -# -# Shorewall6 version 5 - Audited Reject Action -# -# /usr/share/shorewall6/action.A_Reject -# -# The audited default REJECT action common rules -# -# This action is invoked before a REJECT policy is enforced. The purpose -# of the action is: -# -# a) Avoid logging lots of useless cruft. -# b) Ensure that certain ICMP packets that are necessary for successful -# internet operation are always ACCEPTed. -# -# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! -############################################################################### -#TARGET SOURCE DEST PROTO -# -# Don't log 'auth' -- REJECT -# -Auth(A_REJECT) -# -# Drop Multicasts so they don't clutter up the log -# (broadcasts must *not* be rejected). -# -A_AllowICMPs - - ipv6-icmp -# -# Drop Broadcasts so they don't clutter up the log -# (broadcasts must *not* be rejected). -# -dropBcast(audit) -# -# Drop packets that are in the INVALID state -- these are usually ICMP packets -# and just confuse people when they appear in the log (these ICMPs cannot be -# rejected). -# -dropInvalid(audit) -# -# Reject Microsoft noise so that it doesn't clutter up the log. -# -SMB(A_REJECT) -# -# Drop 'newnotsyn' traffic so that it doesn't get logged. -# -dropNotSyn(audit) - - tcp -# -# Drop late-arriving DNS replies. These are just a nuisance and clutter up -# the log. -# -A_DropDNSrep diff --git a/Shorewall6/action.Drop b/Shorewall6/action.Drop deleted file mode 100644 index 63933a92d..000000000 --- a/Shorewall6/action.Drop +++ /dev/null @@ -1,78 +0,0 @@ -# -# Shorewall6 version 5 - Drop Action -# -# /usr/share/shorewall6/action.Drop -# -# The default DROP common rules -# -# This action is invoked before a DROP policy is enforced. The purpose -# of the action is: -# -# a) Avoid logging lots of useless cruft. -# b) Ensure that 'auth' requests are rejected, even if the policy is -# DROP. Otherwise, you may experience problems establishing -# connections with servers that use auth. -# c) Ensure that certain ICMP packets that are necessary for successful -# internet operation are always ACCEPTed. -# -# The action accepts five optional parameters: -# -# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin -# actions. -# 2 - Action to take with Auth requests. Default is to do nothing special -# with them. -# 3 - Action to take with SMB requests. Default is DROP or A_DROP, -# depending on the setting of the first parameter. -# 4 - Action to take with required ICMP packets. Default is ACCEPT or -# A_ACCEPT depending on the first parameter. -# 5 - Action to take with late UDP replies (UDP source port 53). Default -# is DROP or A_DROP depending on the first parameter. -# -# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! -# -############################################################################### - -?if passed($1) - ?if $1 eq 'audit' -DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP - ?else - ?error The first parameter to Drop must be 'audit' or '-' - ?endif -?else -DEFAULTS -,-,DROP,ACCEPT,DROP -?endif - -#TARGET SOURCE DEST PROTO DPORT SPORT -# -# Reject 'auth' -# -?if passed($2) -Auth($2) -?endif -# -# ACCEPT critical ICMP types -# -AllowICMPs($4) - - ipv6-icmp -# -# Drop Broadcasts so they don't clutter up the log -# (broadcasts must *not* be rejected). -# -Broadcast(DROP,$1) -# -# Drop packets that are in the INVALID state -- these are usually ICMP packets -# and just confuse people when they appear in the log. -# -Invalid(DROP,$1) -# -# Drop Microsoft noise so that it doesn't clutter up the log. -# -SMB($3) -# -# Drop 'newnotsyn' traffic so that it doesn't get logged. -# -NotSyn(DROP,$1) - - tcp -# -# Drop late-arriving DNS replies. These are just a nuisance and clutter up -# the log. -# -DropDNSrep($5) diff --git a/Shorewall6/action.Reject b/Shorewall6/action.Reject deleted file mode 100644 index c714457c0..000000000 --- a/Shorewall6/action.Reject +++ /dev/null @@ -1,76 +0,0 @@ -# -# Shorewall6 version 5 - Reject Action -# -# /usr/share/shorewall6/action.Reject -# -# The default REJECT action common rules -# -# This action is invoked before a REJECT policy is enforced. The purpose -# of the action is: -# -# a) Avoid logging lots of useless cruft. -# b) Ensure that certain ICMP packets that are necessary for successful -# internet operation are always ACCEPTed. -# -# The action accepts five optional parameters: -# -# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin -# actions. -# 2 - Action to take with Auth requests. Default is REJECT or A_REJECT, -# depending on the setting of the first parameter. -# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT, -# depending on the setting of the first parameter. -# 4 - Action to take with required ICMP packets. Default is ACCEPT or -# A_ACCEPT depending on the first parameter. -# 5 - Action to take with late UDP replies (UDP source port 53). Default -# is DROP or A_DROP depending on the first parameter. -# -# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! -############################################################################### - -?if passed(@1) - ?if @1 eq 'audit' -DEFAULTS -,A_REJECT,A_REJECT,A_ACCEPT,A_DROP - ?else - ?error The first parameter to Reject must be 'audit' or '-' - ?endif -?else -DEFAULTS -,REJECT,REJECT,ACCEPT,DROP -?endif - -#TARGET SOURCE DEST PROTO -# -# Don't log 'auth' -- REJECT -# -?if passed($2) -Auth($2) -?endif -# -# Drop Multicasts so they don't clutter up the log -# (broadcasts must *not* be rejected). -# -AllowICMPs($4) - - ipv6-icmp -# -# Drop Broadcasts so they don't clutter up the log -# (broadcasts must *not* be rejected). -# -Broadcast(DROP,$1) -# -# Drop packets that are in the INVALID state -- these are usually ICMP packets -# and just confuse people when they appear in the log (these ICMPs cannot be -# rejected). -# -Invalid(DROP,$1) -# -# Reject Microsoft noise so that it doesn't clutter up the log. -# -SMB($3) -# -# Drop 'newnotsyn' traffic so that it doesn't get logged. -# -NotSyn(DROP,$1) - - tcp -# -# Drop late-arriving DNS replies. These are just a nuisance and clutter up -# the log. -# -DropDNSrep($5)