forked from extern/shorewall_code
Add AllowICMPs action and invoke from Drop and Reject
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1667 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
aeb3d2cea2
commit
d260f20ce4
11
LrpN/usr/share/shorewall/action.AllowICMPs
Normal file
11
LrpN/usr/share/shorewall/action.AllowICMPs
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowICMPs
|
||||
#
|
||||
# ACCEPT needed ICMP types
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
#
|
||||
ACCEPT - - icmp fragmentation-needed
|
||||
ACCEPT - - icmp time-exceeded
|
||||
@ -3,14 +3,47 @@
|
||||
#
|
||||
# The default DROP common rules
|
||||
#
|
||||
# This action is invoked before a DROP policy is enforced. The purpose of the action
|
||||
# is:
|
||||
#
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that 'auth' requests are rejected, even if the policy is DROP.
|
||||
# Otherwise, you may experience problems establishing connections with
|
||||
# servers that use auth.
|
||||
# c) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
#TARGET SOURCE DEST PROTO
|
||||
#
|
||||
# Reject 'auth'
|
||||
#
|
||||
RejectAuth
|
||||
#
|
||||
# Don't log broadcasts
|
||||
#
|
||||
dropBcast
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
AllowICMPs - - icmp
|
||||
#
|
||||
# Drop packets that in the INVALID state -- these are usually ICMP packets and just
|
||||
# confuse people when they appear in the log.
|
||||
#
|
||||
dropInvalid
|
||||
#
|
||||
# Drop Microsoft noise so that it doesn't clutter up the log.
|
||||
#
|
||||
DropSMB
|
||||
DropUPnP
|
||||
dropNotSyn
|
||||
#
|
||||
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||
#
|
||||
dropNotSyn - - tcp
|
||||
#
|
||||
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
|
||||
#
|
||||
DropDNSrep
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@ -3,14 +3,44 @@
|
||||
#
|
||||
# The default REJECT action common rules
|
||||
#
|
||||
# This action is invoked before a REJECT policy is enforced. The purpose of the action
|
||||
# is:
|
||||
#
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
#TARGET SOURCE DEST PROTO
|
||||
#
|
||||
# Don't log 'auth' REJECT
|
||||
#
|
||||
RejectAuth
|
||||
#
|
||||
# Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected).
|
||||
#
|
||||
dropBcast
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
AllowICMPs - - icmp
|
||||
#
|
||||
# Drop packets that in the INVALID state -- these are usually ICMP packets and just
|
||||
# confuse people when they appear in the log (these ICMPs cannot be rejected).
|
||||
#
|
||||
dropInvalid
|
||||
#
|
||||
# Drop Microsoft noise so that it doesn't clutter up the lot.
|
||||
#
|
||||
RejectSMB
|
||||
DropUPnP
|
||||
dropNotSyn
|
||||
#
|
||||
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||
#
|
||||
dropNotSyn - - tcp
|
||||
#
|
||||
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
|
||||
#
|
||||
DropDNSrep
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
#
|
||||
# Shorewall 2.0 /usr/share/shorewall/actions.std
|
||||
# Shorewall 2.1 /usr/share/shorewall/actions.std
|
||||
#
|
||||
#
|
||||
# Builtin Actions are:
|
||||
#
|
||||
# allowBcast #Silently Allow Broadcast/multicast
|
||||
# dropBcast #Silently Drop Broadcast/multicast
|
||||
# dropNonSyn #Silently Drop Non-syn TCP packets
|
||||
# rejNonSyn #Silently Reject Non-syn TCP packets
|
||||
# logNonSyn #Log Non-syn TCP packets with disposition LOG
|
||||
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
|
||||
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
|
||||
# dropInvalid #Silently Drop packets that are in the INVALID
|
||||
# #conntrack state.
|
||||
#
|
||||
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
|
||||
# shorewall.conf. If that option isn't specified then 'info' is used.
|
||||
@ -32,6 +32,7 @@ AllowSMB #Allow MS Networking
|
||||
AllowAuth #Allow Auth (identd)
|
||||
AllowSMTP #Allow SMTP (Email)
|
||||
AllowPOP3 #Allow reading mail via POP3
|
||||
AllowICMPs #Allows critical ICMP types
|
||||
AllowIMAP #Allow reading mail via IMAP
|
||||
AllowTelnet #Allow Telnet Access (not recommended for use over the
|
||||
#Internet)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user