Add AllowICMPs action and invoke from Drop and Reject

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1666 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2004-10-07 22:56:35 +00:00 · 2004-10-07 22:56:35 +00:00 · aeb3d2cea2
commit aeb3d2cea2
parent 31f0b2dc68
7 changed files with 91 additions and 8 deletions
--- a/Shorewall2/action.AllowICMPs
+++ b/Shorewall2/action.AllowICMPs
@ -0,0 +1,11 @@
+#
+# Shorewall 2.1 /usr/share/shorewall/action.AllowICMPs
+#
+#	ACCEPT needed ICMP types
+#
+######################################################################################
+#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#
+ACCEPT	-		-		icmp	fragmentation-needed
+ACCEPT	-		-		icmp	time-exceeded
--- a/Shorewall2/action.Drop
+++ b/Shorewall2/action.Drop
@ -3,14 +3,47 @@
 #
 #	The default DROP common rules
 #
+# This action is invoked before a DROP policy is enforced. The purpose of the action
+# is:
+#
+#	a) Avoid logging lots of useless cruft. 
+#	b) Ensure that 'auth' requests are rejected, even if the policy is DROP.
+#	   Otherwise, you may experience problems establishing connections with
+#	   servers that use auth.
+#       c) Ensure that certain ICMP packets that are necessary for successful 
+#	   internet operation are always ACCEPTed.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
 ######################################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#TARGET  	SOURCE		DEST      	PROTO
+#
+# Reject 'auth'
+#
 RejectAuth
+#
+# Don't log broadcasts
+#
 dropBcast
+#
+# ACCEPT critical ICMP types
+#
+AllowICMPs	-		-		icmp
+#
+# Drop packets that in the INVALID state -- these are usually ICMP packets and just
+# confuse people when they appear in the log.
+#
 dropInvalid
+#
+# Drop Microsoft noise so that it doesn't clutter up the log.
+#
 DropSMB
 DropUPnP
-dropNotSyn
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn	-		-		tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
+#
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall2/action.Reject
+++ b/Shorewall2/action.Reject
@ -3,14 +3,44 @@
 #
 #	The default REJECT action common rules
 #
+# This action is invoked before a REJECT policy is enforced. The purpose of the action
+# is:
+#
+#	a) Avoid logging lots of useless cruft. 
+#       b) Ensure that certain ICMP packets that are necessary for successful 
+#	   internet operation are always ACCEPTed.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
 ######################################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#TARGET  	SOURCE		DEST      	PROTO
+#
+# Don't log 'auth' REJECT
+#
 RejectAuth
+#
+# Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected).
+#
 dropBcast
+#
+# ACCEPT critical ICMP types
+#
+AllowICMPs	-		-		icmp
+#
+# Drop packets that in the INVALID state -- these are usually ICMP packets and just
+# confuse people when they appear in the log (these ICMPs cannot be rejected).
+#
 dropInvalid
+#
+# Drop Microsoft noise so that it doesn't clutter up the lot.
+#
 RejectSMB
 DropUPnP
-dropNotSyn
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn	-		-		tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
+#
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall2/actions.std
+++ b/Shorewall2/actions.std
@ -32,6 +32,7 @@ AllowSMB	#Allow MS Networking
 AllowAuth	#Allow Auth (identd)
 AllowSMTP	#Allow SMTP (Email)
 AllowPOP3	#Allow reading mail via POP3
+AllowICMPs	#Allows critical ICMP types
 AllowIMAP	#Allow reading mail via IMAP
 AllowTelnet	#Allow Telnet Access (not recommended for use over the
 		#Internet)
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -92,6 +92,8 @@ Changes since 2.0.3

 44) Implememt LOGTAGONLY.

-46) Merge 'tcrules' clarification from 2.0.10.
+45) Merge 'tcrules' clarification from 2.0.10.

 46) Implement 'sourceroute' interface option.
+
+47) Add 'icmps' action.
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -520,4 +520,9 @@ New Features:
    interfaces. If you wish to accept source routing on an interface,
    you must specify the new 'sourceroute' interface option in
    /etc/shorewall/interfaces.
- 
+
+20) The default Drop and Reject actions now invoke the new standard
+    action 'AllowICMPs'. This new action accepts critical ICMP types:
+    
+	Type 3 code 4 (fragmentation needed)
+	Type 11       (TTL exceeded)
--- a/Shorewall2/shorewall.spec
+++ b/Shorewall2/shorewall.spec
@ -101,6 +101,7 @@ fi
 %attr(0600,root,root) /usr/share/shorewall/action.AllowAuth
 %attr(0600,root,root) /usr/share/shorewall/action.AllowDNS
 %attr(0600,root,root) /usr/share/shorewall/action.AllowFTP
+%attr(0600,root,root) /usr/share/shorewall/action.AllowICMPs
 %attr(0600,root,root) /usr/share/shorewall/action.AllowIMAP
 %attr(0600,root,root) /usr/share/shorewall/action.AllowNNTP
 %attr(0600,root,root) /usr/share/shorewall/action.AllowNTP