diff --git a/Shorewall/Actions/action.A_AllowICMPs.deprecated b/Shorewall/Actions/action.A_AllowICMPs.deprecated deleted file mode 100644 index cecb89f9e..000000000 --- a/Shorewall/Actions/action.A_AllowICMPs.deprecated +++ /dev/null @@ -1,9 +0,0 @@ -# -# Shorewall6 -- /usr/share/shorewall/action.A_AllowICMPs -# -# This action A_ACCEPTs needed ICMP types -# -############################################################################### -#ACTION SOURCE DEST PROTO DPORT - -AllowICMPs(A_ACCEPT) diff --git a/Shorewall/Actions/action.A_Drop.deprecated b/Shorewall/Actions/action.A_Drop.deprecated deleted file mode 100644 index adf07c2f6..000000000 --- a/Shorewall/Actions/action.A_Drop.deprecated +++ /dev/null @@ -1,57 +0,0 @@ -# -# Shorewall -- /usr/share/shorewall/action.A_Drop -# -# The audited default DROP common rules -# -# This action is invoked before a DROP policy is enforced. The purpose -# of the action is: -# -# a) Avoid logging lots of useless cruft. -# b) Ensure that certain ICMP packets that are necessary for successful -# internet operation are always ACCEPTed. -# -# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! -# -?require AUDIT_TARGET -?warning "You are using the deprecated A_Drop default action. Please see http://www.shorewall.net/Actions.html -############################################################################### -#ACTION SOURCE DEST PROTO DPORT SPORT -# -# Count packets that come through here -# -COUNT -# -# Special Handling for Auth -# -Auth(A_DROP) -# -# ACCEPT critical ICMP types -# -# For IPv6 connectivity ipv6-icmp broadcasting is required so -# AllowICMPs must be before broadcast Drop. -# -A_AllowICMPs - - icmp -# -# Don't log broadcasts and multicasts -# -dropBcast(audit) -dropMcast(audit) -# -# Drop packets that are in the INVALID state -- these are usually ICMP packets -# and just confuse people when they appear in the log. -# -dropInvalid(audit) -# -# Drop Microsoft noise so that it doesn't clutter up the log. -# -SMB(A_DROP) -A_DropUPnP -# -# Drop 'newnotsyn' traffic so that it doesn't get logged. -# -dropNotSyn(audit) - - tcp -# -# Drop late-arriving DNS replies. These are just a nuisance and clutter up -# the log. -# -A_DropDNSrep diff --git a/Shorewall/Actions/action.A_Reject.deprecated b/Shorewall/Actions/action.A_Reject.deprecated deleted file mode 100644 index 8f99e8d6c..000000000 --- a/Shorewall/Actions/action.A_Reject.deprecated +++ /dev/null @@ -1,54 +0,0 @@ -# -# Shorewall -- /usr/share/shorewall/action.A_Reject -# -# The audited default REJECT action common rules -# -# This action is invoked before a REJECT policy is enforced. The purpose -# of the action is: -# -# a) Avoid logging lots of useless cruft. -# b) Ensure that certain ICMP packets that are necessary for successful -# internet operation are always ACCEPTed. -# -# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! -?require AUDIT_TARGET -?warning "You are using the deprecated A_REJECT default action. Please see http://www.shorewall.net/Actions.html -############################################################################### -#ACTION SOURCE DEST PROTO -# -# Count packets that come through here -# -COUNT -# -# ACCEPT critical ICMP types -# -# For IPv6 connectivity ipv6-icmp broadcasting is required so -# AllowICMPs must be before broadcast Drop. -# -A_AllowICMPs - - icmp -# -# Drop Broadcasts and multicasts so they don't clutter up the log -# (these must *not* be rejected). -# -dropBcast(audit) -dropMcast(audit) -# -# Drop packets that are in the INVALID state -- these are usually ICMP packets -# and just confuse people when they appear in the log (these ICMPs cannot be -# rejected). -# -dropInvalid(audit) -# -# Reject Microsoft noise so that it doesn't clutter up the log. -# -SMB(A_REJECT) -A_DropUPnP -# -# Drop 'newnotsyn' traffic so that it doesn't get logged. -# -dropNotSyn(audit) - - tcp -# -# Drop late-arriving DNS replies. These are just a nuisance and clutter up -# the log. -# -A_DropDNSrep diff --git a/Shorewall/Actions/action.Drop.deprecated b/Shorewall/Actions/action.Drop.deprecated deleted file mode 100644 index 8cf6ad823..000000000 --- a/Shorewall/Actions/action.Drop.deprecated +++ /dev/null @@ -1,84 +0,0 @@ -# -# Shorewall -- /usr/share/shorewall/action.Drop -# -# The former default DROP common rules. Use of this action is now deprecated -# -# This action is invoked before a DROP policy is enforced. The purpose -# of the action is: -# -# a) Avoid logging lots of useless cruft. -# b) Ensure that certain ICMP packets that are necessary for successful -# internet operation are always ACCEPTed. -# -# The action accepts six optional parameters: -# -# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin -# actions. -# 2 - Action to take with Auth requests. Default is to do nothing special -# with them. -# 3 - Action to take with SMB requests. Default is DROP or A_DROP, -# depending on the setting of the first parameter. -# 4 - Action to take with required ICMP packets. Default is ACCEPT or -# A_ACCEPT depending on the first parameter. -# 5 - Action to take with late DNS replies (UDP source port 53). Default -# is DROP or A_DROP depending on the first parameter. -# 6 - Action to take with UPnP packets. Default is DROP or A_DROP -# depending on the first parameter. -# -# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! -# -############################################################################### -?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default" - -?if passed(@1) - ?if @1 eq 'audit' -DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP - ?else - ?error The first parameter to Drop must be 'audit' or '-' - ?endif -?else -DEFAULTS -,-,DROP,ACCEPT,DROP,DROP -?endif - -#ACTION SOURCE DEST PROTO DPORT SPORT -# -# Count packets that come through here -# -COUNT -# -# Special Handling for Auth -# -?if passed(@2) -Auth(@2) -?endif -# -# ACCEPT critical ICMP types -# -# For IPv6 connectivity ipv6-icmp broadcasting is required so -# AllowICMPs must be before silent broadcast Drop. -# -AllowICMPs(@4) - - icmp -# -# Don't log broadcasts or multicasts -# -Broadcast(DROP,@1) -Multicast(DROP,@1) -# -# Drop packets that are in the INVALID state -- these are usually ICMP packets -# and just confuse people when they appear in the log. -# -Invalid(DROP,@1) -# -# Drop Microsoft noise so that it doesn't clutter up the log. -# -SMB(@3) -DropUPnP(@6) -# -# Drop 'newnotsyn' traffic so that it doesn't get logged. -# -NotSyn(DROP,@1) - - tcp -# -# Drop late-arriving DNS replies. These are just a nuisance and clutter up -# the log. -# -DropDNSrep(@5) diff --git a/Shorewall/Actions/action.Reject.deprecated b/Shorewall/Actions/action.Reject.deprecated deleted file mode 100644 index da714fc1f..000000000 --- a/Shorewall/Actions/action.Reject.deprecated +++ /dev/null @@ -1,85 +0,0 @@ -# -# Shorewall -- /usr/share/shorewall/action.Reject -# -# The former default REJECT action common rules. Use of this action is deprecated. -# -# This action is invoked before a REJECT policy is enforced. The purpose -# of the action is: -# -# a) Avoid logging lots of useless cruft. -# b) Ensure that certain ICMP packets that are necessary for successful -# internet operation are always ACCEPTed. -# -# The action accepts six optional parameters: -# -# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin -# actions. -# 2 - Action to take with Auth requests. Default is to do nothing -# special with them. -# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT, -# depending on the setting of the first parameter. -# 4 - Action to take with required ICMP packets. Default is ACCEPT or -# A_ACCEPT depending on the first parameter. -# 5 - Action to take with late DNS replies (UDP source port 53). Default -# is DROP or A_DROP depending on the first parameter. -# 6 - Action to take with UPnP packets. Default is DROP or A_DROP -# depending on the first parameter. -# -# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! -############################################################################### -?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default" - -?if passed(@1) - ?if @1 eq 'audit' -DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP - ?else - ?error The first parameter to Reject must be 'audit' or '-' - ?endif -?else -DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP -?endif - -#ACTION SOURCE DEST PROTO -# -# Count packets that come through here -# -COUNT -# -# Special handling for Auth -# -?if passed(@2) -Auth(@2) -?endif -# -# ACCEPT critical ICMP types -# -# For IPv6 connectivity ipv6-icmp broadcasting is required so -# AllowICMPs must be before silent broadcast Drop. -# -AllowICMPs(@4) - - icmp -# -# Drop Broadcasts so they don't clutter up the log -# (broadcasts must *not* be rejected). -# -Broadcast(DROP,@1) -Multicast(DROP,@1) -# -# Drop packets that are in the INVALID state -- these are usually ICMP packets -# and just confuse people when they appear in the log (these ICMPs cannot be -# rejected). -# -Invalid(DROP,@1) -# -# Reject Microsoft noise so that it doesn't clutter up the log. -# -SMB(@3) -DropUPnP(@6) -# -# Drop 'newnotsyn' traffic so that it doesn't get logged. -# -NotSyn(DROP,@1) - - tcp -# -# Drop late-arriving DNS replies. These are just a nuisance and clutter up -# the log. -# -DropDNSrep(@5) diff --git a/Shorewall/Macros/macro.SNMPTrap.deprecated b/Shorewall/Macros/macro.SNMPTrap.deprecated deleted file mode 100644 index a2c1c4b95..000000000 --- a/Shorewall/Macros/macro.SNMPTrap.deprecated +++ /dev/null @@ -1,9 +0,0 @@ -# -# Shorewall - /usr/share/shorewall/macro.SNMPtrap -# -# This macro deprecated by SNMPtrap. -# -############################################################################### -#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER - -SNMPtrap diff --git a/Shorewall/actions.std b/Shorewall/actions.std index 4400ead11..52cf7cb31 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -8,11 +8,8 @@ # ############################################################################### #ACTION -A_AllowICMPs inline # Audited version of AllowICMPs -A_Drop # Audited Default Action for DROP policy A_REJECT noinline,logjump # Audits then rejects a connection request A_REJECT! inline # Audits then rejects a connection request -A_Reject # Audited Default action for REJECT policy AllowICMPs inline # Allow Required ICMP packets allowBcast inline # Silently Allow Broadcast allowinUPnP inline # Allow UPnP inbound (to firewall) traffic @@ -27,7 +24,6 @@ Broadcast inline,audit # Handles Broadcast/Anycast Broadcast noinline,audit # Handles Broadcast/Anycast ?endif DNSAmp proto=17 # Matches one-question recursive DNS queries -Drop # Default Action for DROP policy (deprecated) dropBcast inline # Silently Drop Broadcast dropBcasts inline # Silently Drop Broadcast dropInvalid inline # Drops packets in the INVALID conntrack state @@ -54,7 +50,6 @@ New inline,state=NEW # Handles packets in the NEW conntrack state NotSyn inline,audit,\ # Handles TCP packets which do not have SYN=1 and ACK=0 proto=6 rejNotSyn noinline,proto=6 # Silently Reject Non-syn TCP packets -Reject # Default Action for REJECT policy (deprecated) Related inline,\ # Handles packets in the RELATED conntrack state state=RELATED # ResetEvent inline # Reset an Event diff --git a/Shorewall/install.sh b/Shorewall/install.sh index f0bcb5375..8de67826d 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -1231,6 +1231,19 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" fi +# +# Remove deleted actions and macros +# +if [ $PRODUCT = shorewall ]; then + rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.A_AllowICMPs + rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.A_Drop + rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.A_Reject + rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.Drop + rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.Reject + + rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/macro.SMTPTraps +fi + if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then if [ -n "$SERVICEDIR" ]; then if systemctl enable ${PRODUCT}.service; then diff --git a/Shorewall6/actions.std b/Shorewall6/actions.std index 239aa113e..79c7b1e40 100644 --- a/Shorewall6/actions.std +++ b/Shorewall6/actions.std @@ -8,9 +8,6 @@ # ############################################################################### #ACTION -A_Drop # Audited Default Action for DROP policy -A_Reject # Audited Default Action for REJECT policy -A_AllowICMPs proto=58 # Audited Accept needed ICMP6 types AllowICMPs proto=58 # Accept needed ICMP6 types allowBcast inline # Silently Allow Broadcast allowInvalid inline # Accepts packets in the INVALID conntrack state @@ -19,7 +16,6 @@ AutoBL noinline # Auto-blacklist IPs that exceed thesholds AutoBLL noinline # Helper for AutoBL BLACKLIST logjump,section # Add sender to the dynamic blacklist Broadcast noinline # Handles Broadcast/Anycast -Drop # Default Action for DROP policy (deprecated) dropBcast inline # Silently Drop Broadcast dropBcasts inline # Silently Drop Broadcast dropInvalid inline # Drops packets in the INVALID conntrack state @@ -38,7 +34,6 @@ Invalid inline,audit,\ # Handles packets in the INVALID conntrack state Multicast noinline # Handles Multicast New inline,state=NEW # Handles packets in the NEW conntrack state NotSyn inline,proto=6 # Handles TCP packets that do not have SYN=1 and ACK=0 -Reject # Default Action for REJECT policy (deprecated) rejNotSyn noinline,proto=6 # Silently Reject Non-syn TCP packets Related inline,\ # Handles packets in the RELATED conntrack state state=RELATED