From d260f20ce4c74d80e53eb59fa39b7e85d4d72b3f Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 8 Oct 2004 00:11:54 +0000 Subject: [PATCH] Add AllowICMPs action and invoke from Drop and Reject git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1667 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- LrpN/usr/share/shorewall/action.AllowICMPs | 11 ++++++ LrpN/usr/share/shorewall/action.Drop | 39 ++++++++++++++++++++-- LrpN/usr/share/shorewall/action.Reject | 36 ++++++++++++++++++-- LrpN/usr/share/shorewall/actions.std | 9 ++--- 4 files changed, 85 insertions(+), 10 deletions(-) create mode 100644 LrpN/usr/share/shorewall/action.AllowICMPs diff --git a/LrpN/usr/share/shorewall/action.AllowICMPs b/LrpN/usr/share/shorewall/action.AllowICMPs new file mode 100644 index 000000000..7235d8dff --- /dev/null +++ b/LrpN/usr/share/shorewall/action.AllowICMPs @@ -0,0 +1,11 @@ +# +# Shorewall 2.1 /usr/share/shorewall/action.AllowICMPs +# +# ACCEPT needed ICMP types +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +# +ACCEPT - - icmp fragmentation-needed +ACCEPT - - icmp time-exceeded diff --git a/LrpN/usr/share/shorewall/action.Drop b/LrpN/usr/share/shorewall/action.Drop index b8cda2d4f..7b42e2c2d 100644 --- a/LrpN/usr/share/shorewall/action.Drop +++ b/LrpN/usr/share/shorewall/action.Drop @@ -3,14 +3,47 @@ # # The default DROP common rules # +# This action is invoked before a DROP policy is enforced. The purpose of the action +# is: +# +# a) Avoid logging lots of useless cruft. +# b) Ensure that 'auth' requests are rejected, even if the policy is DROP. +# Otherwise, you may experience problems establishing connections with +# servers that use auth. +# c) Ensure that certain ICMP packets that are necessary for successful +# internet operation are always ACCEPTed. +# +# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!! ###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP +#TARGET SOURCE DEST PROTO +# +# Reject 'auth' +# RejectAuth +# +# Don't log broadcasts +# dropBcast +# +# ACCEPT critical ICMP types +# +AllowICMPs - - icmp +# +# Drop packets that in the INVALID state -- these are usually ICMP packets and just +# confuse people when they appear in the log. +# dropInvalid +# +# Drop Microsoft noise so that it doesn't clutter up the log. +# DropSMB DropUPnP -dropNotSyn +# +# Drop 'newnotsyn' traffic so that it doesn't get logged. +# +dropNotSyn - - tcp +# +# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log. +# DropDNSrep #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.Reject b/LrpN/usr/share/shorewall/action.Reject index 5056ab0bb..54ca5e031 100644 --- a/LrpN/usr/share/shorewall/action.Reject +++ b/LrpN/usr/share/shorewall/action.Reject @@ -3,14 +3,44 @@ # # The default REJECT action common rules # +# This action is invoked before a REJECT policy is enforced. The purpose of the action +# is: +# +# a) Avoid logging lots of useless cruft. +# b) Ensure that certain ICMP packets that are necessary for successful +# internet operation are always ACCEPTed. +# +# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!! ###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP +#TARGET SOURCE DEST PROTO +# +# Don't log 'auth' REJECT +# RejectAuth +# +# Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected). +# dropBcast +# +# ACCEPT critical ICMP types +# +AllowICMPs - - icmp +# +# Drop packets that in the INVALID state -- these are usually ICMP packets and just +# confuse people when they appear in the log (these ICMPs cannot be rejected). +# dropInvalid +# +# Drop Microsoft noise so that it doesn't clutter up the lot. +# RejectSMB DropUPnP -dropNotSyn +# +# Drop 'newnotsyn' traffic so that it doesn't get logged. +# +dropNotSyn - - tcp +# +# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log. +# DropDNSrep #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/actions.std b/LrpN/usr/share/shorewall/actions.std index b762d2730..99df52e95 100644 --- a/LrpN/usr/share/shorewall/actions.std +++ b/LrpN/usr/share/shorewall/actions.std @@ -1,15 +1,15 @@ # -# Shorewall 2.0 /usr/share/shorewall/actions.std +# Shorewall 2.1 /usr/share/shorewall/actions.std # # # Builtin Actions are: # +# allowBcast #Silently Allow Broadcast/multicast # dropBcast #Silently Drop Broadcast/multicast # dropNonSyn #Silently Drop Non-syn TCP packets # rejNonSyn #Silently Reject Non-syn TCP packets -# logNonSyn #Log Non-syn TCP packets with disposition LOG -# dLogNonSyn #Log Non-syn TCP packets with disposition DROP -# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT +# dropInvalid #Silently Drop packets that are in the INVALID +# #conntrack state. # # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in # shorewall.conf. If that option isn't specified then 'info' is used. @@ -32,6 +32,7 @@ AllowSMB #Allow MS Networking AllowAuth #Allow Auth (identd) AllowSMTP #Allow SMTP (Email) AllowPOP3 #Allow reading mail via POP3 +AllowICMPs #Allows critical ICMP types AllowIMAP #Allow reading mail via IMAP AllowTelnet #Allow Telnet Access (not recommended for use over the #Internet)