From c3661ad476a935ef426a34d5404429869a54f368 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 7 Mar 2017 11:30:38 -0800 Subject: [PATCH] Change macro.ICMPs to an inline action Signed-off-by: Tom Eastep --- Shorewall/Actions/action.AllowICMPs | 11 +++++++++++ Shorewall/Macros/macro.AllowICMPs | 13 ------------- Shorewall/actions.std | 1 + 3 files changed, 12 insertions(+), 13 deletions(-) create mode 100644 Shorewall/Actions/action.AllowICMPs delete mode 100644 Shorewall/Macros/macro.AllowICMPs diff --git a/Shorewall/Actions/action.AllowICMPs b/Shorewall/Actions/action.AllowICMPs new file mode 100644 index 000000000..d3a96aed7 --- /dev/null +++ b/Shorewall/Actions/action.AllowICMPs @@ -0,0 +1,11 @@ +# +# Shorewall -- /usr/share/shorewall/action.AllowICMPs +# +# This action ACCEPTs needed ICMP types. +# +############################################################################### +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + +DEFAULTS ACCEPT +@1 - - icmp fragmentation-needed +@2 - - icmp time-exceeded diff --git a/Shorewall/Macros/macro.AllowICMPs b/Shorewall/Macros/macro.AllowICMPs deleted file mode 100644 index 4b56bf3dc..000000000 --- a/Shorewall/Macros/macro.AllowICMPs +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall -- /usr/share/shorewall/macro.AllowICMPs -# -# This macro ACCEPTs needed ICMP types. -# -############################################################################### -#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER - -?COMMENT Needed ICMP types - -DEFAULT ACCEPT -PARAM - - icmp fragmentation-needed -PARAM - - icmp time-exceeded diff --git a/Shorewall/actions.std b/Shorewall/actions.std index fcf1f15b6..020e9f021 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -25,6 +25,7 @@ A_Drop # Audited Default Action for DROP policy A_REJECT noinline,logjump # Audits then rejects a connection request A_REJECT! inline # Audits then rejects a connection request A_Reject # Audited Default action for REJECT policy +allowICMPs inline # Allow Required ICMP packets allowInvalid inline # Accepts packets in the INVALID conntrack state AutoBL noinline # Auto-blacklist IPs that exceed thesholds AutoBLL noinline # Helper for AutoBL