forked from extern/shorewall_code
Make a couple of the user-defined actions builtins
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1121 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
7316f20d8e
commit
a4fc4c2ea0
@ -1,17 +0,0 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/DropBcast
|
||||
#
|
||||
# System-provided user exit for adding rules to the DropBcast chain
|
||||
# created by the DropBcast action (action.DropBcast)
|
||||
|
||||
qt iptables -A DropBcast -m pkttype --pkt-type broadcast -j DROP
|
||||
|
||||
if ! qt iptables -A DropBcast -m pkttype --pkt-type multicast -j DROP; then
|
||||
#
|
||||
# No pkttype support -- do it the hard way
|
||||
#
|
||||
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
|
||||
run_iptables -A DropBcast -d $address -j DROP
|
||||
done
|
||||
fi
|
@ -1,7 +0,0 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/DropNonSyn
|
||||
#
|
||||
# System-provided user exit for adding rules to the DropNonSyn chain
|
||||
# created by the DropNonSyn action (action.DropNonSyn)
|
||||
|
||||
run_iptables -A DropNonSyn -p tcp ! --syn -j DROP
|
@ -7,9 +7,9 @@
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
RejectAuth
|
||||
DropBcast
|
||||
dropBcast
|
||||
DropSMB
|
||||
DropUPnP
|
||||
DropNonSyn
|
||||
dropNonSyn
|
||||
DropDNSrep
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,10 +0,0 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.DropBcast
|
||||
#
|
||||
# This action silently drops Broadcast Traffic. The Chain is
|
||||
# built by the extensions script /etc/shorewall/DropBcast
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
@ -1,10 +0,0 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.DropNotSyn
|
||||
#
|
||||
# This action silently drops Non-Syn Packets. The file
|
||||
# /etc/shorewall/DropNotSyn implements this action.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
@ -7,9 +7,9 @@
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
RejectAuth
|
||||
DropBcast
|
||||
dropBcast
|
||||
RejectSMB
|
||||
DropUPnP
|
||||
DropNonSyn
|
||||
dropNonSyn
|
||||
DropDNSRep
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -2,11 +2,16 @@
|
||||
# Shorewall 2.0 /etc/shorewall/actions.std
|
||||
#
|
||||
#
|
||||
DropBcast #Silently Drops Broadcast Traffic
|
||||
# Builtin Actions are:
|
||||
#
|
||||
# dropBcast #Silently Drop Broadcast/multicast
|
||||
# dropNonSyn #Silently Drop Non-syn TCP packets
|
||||
#
|
||||
#ACTION
|
||||
|
||||
DropSMB #Silently Drops Microsoft SMB Traffic
|
||||
RejectSMB #Silently Reject Microsoft SMB Traffic
|
||||
DropUPnP #Silently Drop UPnP Probes
|
||||
DropNonSyn #Silently Drop Non-syn TCP packets
|
||||
RejectAuth #Silently Reject Auth
|
||||
DropPing #Silently Drop Ping
|
||||
DropDNSrep #Silently Drop DNS Replies
|
||||
@ -30,6 +35,6 @@ AllowNNTP #Allow network news (Usenet).
|
||||
AllowTrcrt #Allows Traceroute (20 hops)
|
||||
AllowSNMP #Allows SNMP (including traps)
|
||||
|
||||
Drop:DROP #Common rules for DROP policy
|
||||
Reject:REJECT #Common Action for Reject policy
|
||||
Drop:DROP #Common Action for DROP policy
|
||||
Reject:REJECT #Common Action for REJECT policy
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
|
@ -29,3 +29,6 @@ Changes since 1.4.10
|
||||
14) Add action.AllowSNMP
|
||||
|
||||
15) Move some code from firewall to functions
|
||||
|
||||
16) Removed the DropBcast and DropNonSyn actions and replaced them with
|
||||
builtin actions dropBcast and dropNonSyn.
|
||||
|
@ -2325,6 +2325,31 @@ process_action() # $1 = action
|
||||
#
|
||||
|
||||
process_actions() {
|
||||
#
|
||||
# Add the builtin actions
|
||||
#
|
||||
add_builtin_actions() {
|
||||
|
||||
if [ "$command" != check ]; then
|
||||
createchain dropBcast no
|
||||
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
|
||||
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
|
||||
#
|
||||
# No pkttype support -- do it the hard way
|
||||
#
|
||||
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
|
||||
run_iptables -A dropBcast -d $address -j DROP
|
||||
done
|
||||
fi
|
||||
|
||||
createchain dropNonSyn no
|
||||
run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
|
||||
fi
|
||||
|
||||
ACTIONS="dropBcast dropNonSyn"
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Process a rule where the source or destination is "all"
|
||||
#
|
||||
@ -2366,6 +2391,8 @@ process_actions() {
|
||||
process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
|
||||
}
|
||||
|
||||
add_builtin_actions
|
||||
|
||||
strip_file actions
|
||||
|
||||
while read xaction rest; do
|
||||
@ -2613,7 +2640,7 @@ add_nat_rule() {
|
||||
# Add one Filter Rule -- Helper function for the rules file processor
|
||||
#
|
||||
# The caller has established the following variables:
|
||||
# check = current command. If 'check', we're executing a 'check'
|
||||
# command = current command. If 'check', we're executing a 'check'
|
||||
# which only goes through the motions.
|
||||
# client = SOURCE IP or MAC
|
||||
# server = DESTINATION IP or interface
|
||||
|
@ -24,6 +24,9 @@
|
||||
# want to make an entry that applies to all PPP
|
||||
# interfaces, use 'ppp+'.
|
||||
#
|
||||
# There is no need to define the loopback interface (lo)
|
||||
# in this file.
|
||||
#
|
||||
# BROADCAST The broadcast address for the subnetwork to which the
|
||||
# interface belongs. For P-T-P interfaces, this
|
||||
# column is left black.If the interface has multiple
|
||||
|
@ -42,8 +42,8 @@ Issues when migrating from Shorewall to Shorewall2:
|
||||
|
||||
1) The 'dropunclean' and 'logunclean' interface options are no longer
|
||||
supported. If either option is specified in
|
||||
/etc/shorewall2/interfaces, an error message will be generated and
|
||||
Shorewall2 will fail to start.
|
||||
/etc/shorewall2/interfaces, an threatening message will be
|
||||
generated.
|
||||
|
||||
2) The NAT_BEFORE_RULES option has been removed from
|
||||
shorewall.conf. The behavior of Shorewall2 is as if
|
||||
@ -114,6 +114,7 @@ Issues when migrating from Shorewall to Shorewall2:
|
||||
AllowRdate #Allow remote time (rdate).
|
||||
AllowNNTP #Allow network news (Usenet).
|
||||
AllowTrcrt #Allows Traceroute (20 hops)
|
||||
AllowSNMP #Allows SNMP (including traps)
|
||||
|
||||
Drop:DROP #Common rules for DROP policy
|
||||
Reject:REJECT #Common Action for Reject policy
|
||||
@ -146,7 +147,7 @@ Issues when migrating from Shorewall to Shorewall2:
|
||||
like in the rules file (see below). It is thus possible to create
|
||||
actions that control traffic from a list of users and/or groups.
|
||||
|
||||
The last column in /etc/shorewall2/rules is now labeled /USER/GROUP
|
||||
The last column in /etc/shorewall2/rules is now labeled USER/GROUP
|
||||
and may contain:
|
||||
|
||||
[!]<user id>[:]
|
||||
|
@ -168,8 +168,9 @@ RFC1918_LOG_LEVEL=info
|
||||
#
|
||||
# SMURF Log Level
|
||||
#
|
||||
# Specifies the logging level for smurf packets. If set to the empty
|
||||
# value ( SMURF_LOG_LEVEL="" ) then smurfs are not logged.
|
||||
# Specifies the logging level for smurf packets dropped by the
|
||||
#'nosmurfs' interface option in /etc/shorewall/interfaces. If set to the empty
|
||||
# value ( SMURF_LOG_LEVEL="" ) then dropped smurfs are not logged.
|
||||
|
||||
SMURF_LOG_LEVEL=info
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user