holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Don't feed the smurfs

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1093 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-01-27 22:33:32 +00:00
parent 3a82d46762
commit b4d0cbd1b1
3 changed files with 25 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Shorewall/changelog.txt
View File

@ -10,3 +10,8 @@ Changes since 1.4.9
ADD_SNAT_ALIASES=Yes. ADD_SNAT_ALIASES=Yes.
5) Implement "detectnets" option. 5) Implement "detectnets" option.
6) Correct the CONTINUE target and fix a couple of bugs in rate
limiting (with an assist from Steven Jan Springl).
7) Silently drop smurfs and broadcasts in the 'reject' chain.

22
Shorewall/firewall
View File

@ -4443,23 +4443,27 @@ build_common_chain() {
# #
add_common_rules() { add_common_rules() {
local savelogparms="$LOGPARMS" local savelogparms="$LOGPARMS"
local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
# #
# Reject Rules # Reject Rules -- Don't respond to broadcasts with an ICMP
#
run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
#
# Don't respond to broadcasts with an ICMP
# #
qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
run_iptables -A reject -d 255.255.255.255 -j DROP #
run_iptables -A reject -d 224.0.0.0/4 -j DROP # No pkttype support -- do it the hard way
#
for address in $(find_broadcasts) ; do for address in $broadcasts ; do
run_iptables -A reject -d $address -j DROP run_iptables -A reject -d $address -j DROP
done done
fi fi
#
# Don't feed the smurfs
#
for address in $broadcasts ; do
run_iptables -A reject -s $address -j DROP
done
run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
run_iptables -A reject -p udp -j REJECT run_iptables -A reject -p udp -j REJECT
# #
# Not all versions of iptables support these so don't complain if they don't work # Not all versions of iptables support these so don't complain if they don't work

7
Shorewall/releasenotes.txt
View File

@ -9,7 +9,12 @@ Problems Corrected since version 1.4.9:
during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are
specified in /etc/shorewall/shorewall.conf. specified in /etc/shorewall/shorewall.conf.
3. Shorewall now tried to avoid sending an ICMP response to broadcasts. 3. The CONTINUE action in /etc/shorewall/rules now works correctly. A
couple of problems involving rate limiting have been
corrected. These bug fixes courtesy of Steven Jan Springl.
4. Shorewall now tried to avoid sending an ICMP response to broadcasts
and smurfs.
Migration Issues: Migration Issues: