forked from extern/shorewall_code
Compare commits
9 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
a98c1d5b35 | ||
|
|
928f54d37c | ||
|
|
073235aa48 | ||
|
|
519fef5e87 | ||
|
|
944651e46d | ||
|
|
bdf0950317 | ||
|
|
2fb1f9db01 | ||
|
|
c3661ad476 | ||
|
|
a4dcc3f555 |
@@ -16,7 +16,7 @@ RemainAfterExit=yes
|
|||||||
EnvironmentFile=-/etc/default/shorewall-lite
|
EnvironmentFile=-/etc/default/shorewall-lite
|
||||||
StandardOutput=syslog
|
StandardOutput=syslog
|
||||||
ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
|
ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
|
||||||
ExecStop=/sbin/shorewall-lite $OPTIONS stop
|
ExecStop=/sbin/shorewall-lite $OPTIONS clear
|
||||||
ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
|
ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
|
|||||||
11
Shorewall/Actions/action.AllowICMPs
Normal file
11
Shorewall/Actions/action.AllowICMPs
Normal file
@@ -0,0 +1,11 @@
|
|||||||
|
#
|
||||||
|
# Shorewall -- /usr/share/shorewall/action.AllowICMPs
|
||||||
|
#
|
||||||
|
# This action ACCEPTs needed ICMP types.
|
||||||
|
#
|
||||||
|
###############################################################################
|
||||||
|
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
||||||
|
|
||||||
|
DEFAULTS ACCEPT
|
||||||
|
@1 - - icmp fragmentation-needed {comment="Needed ICMP types"}
|
||||||
|
@1 - - icmp time-exceeded {comment="Needed ICMP types"}
|
||||||
@@ -20,7 +20,7 @@
|
|||||||
# @2.
|
# @2.
|
||||||
###############################################################################
|
###############################################################################
|
||||||
?if $1 eq 'BLACKLIST'
|
?if $1 eq 'BLACKLIST'
|
||||||
?if $BLACKLIST_LOGLEVEL
|
?if $BLACKLIST_LOG_LEVEL
|
||||||
blacklog
|
blacklog
|
||||||
?else
|
?else
|
||||||
$BLACKLIST_DISPOSITION
|
$BLACKLIST_DISPOSITION
|
||||||
|
|||||||
@@ -1,13 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall -- /usr/share/shorewall/macro.AllowICMPs
|
|
||||||
#
|
|
||||||
# This macro ACCEPTs needed ICMP types.
|
|
||||||
#
|
|
||||||
###############################################################################
|
|
||||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
|
||||||
|
|
||||||
?COMMENT Needed ICMP types
|
|
||||||
|
|
||||||
DEFAULT ACCEPT
|
|
||||||
PARAM - - icmp fragmentation-needed
|
|
||||||
PARAM - - icmp time-exceeded
|
|
||||||
@@ -2995,58 +2995,70 @@ sub process_compiler_directive( $$$$ ) {
|
|||||||
} ,
|
} ,
|
||||||
|
|
||||||
ERROR => sub() {
|
ERROR => sub() {
|
||||||
directive_error( evaluate_expression( $expression ,
|
unless ( $omitting ) {
|
||||||
$filename ,
|
directive_error( evaluate_expression( $expression ,
|
||||||
$linenumber ,
|
$filename ,
|
||||||
1 ) ,
|
$linenumber ,
|
||||||
$filename ,
|
1 ) ,
|
||||||
$linenumber ) unless $omitting;
|
$filename ,
|
||||||
|
$linenumber ) unless $omitting;
|
||||||
|
}
|
||||||
} ,
|
} ,
|
||||||
|
|
||||||
WARNING => sub() {
|
WARNING => sub() {
|
||||||
directive_warning( $config{VERBOSE_MESSAGES} ,
|
unless ( $omitting ) {
|
||||||
evaluate_expression( $expression ,
|
directive_warning( $config{VERBOSE_MESSAGES} ,
|
||||||
$filename ,
|
evaluate_expression( $expression ,
|
||||||
$linenumber ,
|
$filename ,
|
||||||
1 ),
|
$linenumber ,
|
||||||
$filename ,
|
1 ),
|
||||||
$linenumber ) unless $omitting;
|
$filename ,
|
||||||
|
$linenumber ) unless $omitting;
|
||||||
|
}
|
||||||
} ,
|
} ,
|
||||||
|
|
||||||
INFO => sub() {
|
INFO => sub() {
|
||||||
directive_info( $config{VERBOSE_MESSAGES} ,
|
unless ( $omitting ) {
|
||||||
evaluate_expression( $expression ,
|
directive_info( $config{VERBOSE_MESSAGES} ,
|
||||||
$filename ,
|
evaluate_expression( $expression ,
|
||||||
$linenumber ,
|
$filename ,
|
||||||
1 ),
|
$linenumber ,
|
||||||
$filename ,
|
1 ),
|
||||||
$linenumber ) unless $omitting;
|
$filename ,
|
||||||
|
$linenumber ) unless $omitting;
|
||||||
|
}
|
||||||
} ,
|
} ,
|
||||||
|
|
||||||
'WARNING!' => sub() {
|
'WARNING!' => sub() {
|
||||||
directive_warning( ! $config{VERBOSE_MESSAGES} ,
|
unless ( $omitting ) {
|
||||||
evaluate_expression( $expression ,
|
directive_warning( ! $config{VERBOSE_MESSAGES} ,
|
||||||
$filename ,
|
evaluate_expression( $expression ,
|
||||||
$linenumber ,
|
$filename ,
|
||||||
1 ),
|
$linenumber ,
|
||||||
$filename ,
|
1 ),
|
||||||
$linenumber ) unless $omitting;
|
$filename ,
|
||||||
|
$linenumber ) unless $omitting;
|
||||||
|
}
|
||||||
} ,
|
} ,
|
||||||
|
|
||||||
'INFO!' => sub() {
|
'INFO!' => sub() {
|
||||||
directive_info( ! $config{VERBOSE_MESSAGES} ,
|
unless ( $omitting ) {
|
||||||
evaluate_expression( $expression ,
|
directive_info( ! $config{VERBOSE_MESSAGES} ,
|
||||||
$filename ,
|
evaluate_expression( $expression ,
|
||||||
$linenumber ,
|
$filename ,
|
||||||
1 ),
|
$linenumber ,
|
||||||
$filename ,
|
1 ),
|
||||||
$linenumber ) unless $omitting;
|
$filename ,
|
||||||
|
$linenumber ) unless $omitting;
|
||||||
|
}
|
||||||
} ,
|
} ,
|
||||||
|
|
||||||
REQUIRE => sub() {
|
REQUIRE => sub() {
|
||||||
fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
|
unless ( $omitting ) {
|
||||||
fatal_error "Unknown capability ($expression}" unless $capabilities{$expression};
|
fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
|
||||||
require_capability( $expression, "The $actparams{action} action", 's' );
|
fatal_error "Unknown capability ($expression)" unless exists $capabilities{$expression};
|
||||||
|
require_capability( $expression, "The $actparams{action} action", 's' );
|
||||||
|
}
|
||||||
} ,
|
} ,
|
||||||
|
|
||||||
);
|
);
|
||||||
|
|||||||
@@ -372,6 +372,7 @@ sub initialize( $ ) {
|
|||||||
'icmp-host-prohibited' => 1,
|
'icmp-host-prohibited' => 1,
|
||||||
'icmp-admin-prohibited' => 1,
|
'icmp-admin-prohibited' => 1,
|
||||||
'icmp-tcp-reset' => 2,
|
'icmp-tcp-reset' => 2,
|
||||||
|
'tcp-reset' => 2,
|
||||||
);
|
);
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
@@ -947,13 +948,14 @@ sub add_policy_rules( $$$$$ ) {
|
|||||||
#
|
#
|
||||||
# Default action is an inline
|
# Default action is an inline
|
||||||
#
|
#
|
||||||
|
( undef, my $level ) = split /:/, $paction, 2;
|
||||||
( $action, my $param ) = get_target_param( $action );
|
( $action, my $param ) = get_target_param( $action );
|
||||||
|
|
||||||
process_inline( $action, #Inline
|
process_inline( $action, #Inline
|
||||||
$chainref, #Chain
|
$chainref, #Chain
|
||||||
'', #Matches
|
'', #Matches
|
||||||
'', #Matches1
|
'', #Matches1
|
||||||
$loglevel, #Log Level and Tag
|
$level || '', #Log Level and Tag
|
||||||
$paction, #Target
|
$paction, #Target
|
||||||
$param || '', #Param
|
$param || '', #Param
|
||||||
'-', #Source
|
'-', #Source
|
||||||
@@ -1930,12 +1932,12 @@ sub process_action(\$\$$) {
|
|||||||
|
|
||||||
progress_message2 "$doing $actionfile for chain $chainref->{name}...";
|
progress_message2 "$doing $actionfile for chain $chainref->{name}...";
|
||||||
|
|
||||||
push_open $actionfile, 2, 1, undef, 2;
|
|
||||||
|
|
||||||
my $oldparms = push_action_params( $action, $chainref, $param, $level, $tag, $caller );
|
my $oldparms = push_action_params( $action, $chainref, $param, $level, $tag, $caller );
|
||||||
my $options = $actionref->{options};
|
my $options = $actionref->{options};
|
||||||
my $nolog = $options & ( NOLOG_OPT | LOGJUMP_OPT );
|
my $nolog = $options & ( NOLOG_OPT | LOGJUMP_OPT );
|
||||||
|
|
||||||
|
push_open $actionfile, 2, 1, undef, 2;
|
||||||
|
|
||||||
setup_audit_action( $action ) if $options & AUDIT_OPT;
|
setup_audit_action( $action ) if $options & AUDIT_OPT;
|
||||||
|
|
||||||
$active{$action}++;
|
$active{$action}++;
|
||||||
@@ -2917,6 +2919,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
# tcp-reset
|
# tcp-reset
|
||||||
#
|
#
|
||||||
fatal_error "tcp-reset may only be used with PROTO tcp" unless ( resolve_proto( $proto ) || 0 ) == TCP;
|
fatal_error "tcp-reset may only be used with PROTO tcp" unless ( resolve_proto( $proto ) || 0 ) == TCP;
|
||||||
|
$exceptionrule = '-p 6 ';
|
||||||
|
$param = 'tcp-reset';
|
||||||
}
|
}
|
||||||
|
|
||||||
$action = "REJECT --reject-with $param";
|
$action = "REJECT --reject-with $param";
|
||||||
|
|||||||
@@ -2312,9 +2312,10 @@ EOF
|
|||||||
EOF
|
EOF
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return ( $mangle, $fn1 );
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return ( $mangle, $fn1 );
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|||||||
@@ -110,8 +110,8 @@ TC=
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
ACCEPT_DEFAULT=none
|
ACCEPT_DEFAULT=none
|
||||||
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
||||||
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
|
||||||
NFQUEUE_DEFAULT=none
|
NFQUEUE_DEFAULT=none
|
||||||
QUEUE_DEFAULT=none
|
QUEUE_DEFAULT=none
|
||||||
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
||||||
|
|||||||
@@ -121,8 +121,8 @@ TC=
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
ACCEPT_DEFAULT=none
|
ACCEPT_DEFAULT=none
|
||||||
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
||||||
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
|
||||||
NFQUEUE_DEFAULT=none
|
NFQUEUE_DEFAULT=none
|
||||||
QUEUE_DEFAULT=none
|
QUEUE_DEFAULT=none
|
||||||
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
||||||
|
|||||||
@@ -118,8 +118,8 @@ TC=
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
ACCEPT_DEFAULT=none
|
ACCEPT_DEFAULT=none
|
||||||
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
||||||
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
|
||||||
NFQUEUE_DEFAULT=none
|
NFQUEUE_DEFAULT=none
|
||||||
QUEUE_DEFAULT=none
|
QUEUE_DEFAULT=none
|
||||||
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
||||||
|
|||||||
@@ -121,8 +121,8 @@ TC=
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
ACCEPT_DEFAULT=none
|
ACCEPT_DEFAULT=none
|
||||||
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
||||||
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
|
||||||
NFQUEUE_DEFAULT=none
|
NFQUEUE_DEFAULT=none
|
||||||
QUEUE_DEFAULT=none
|
QUEUE_DEFAULT=none
|
||||||
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
||||||
|
|||||||
@@ -25,6 +25,7 @@ A_Drop # Audited Default Action for DROP policy
|
|||||||
A_REJECT noinline,logjump # Audits then rejects a connection request
|
A_REJECT noinline,logjump # Audits then rejects a connection request
|
||||||
A_REJECT! inline # Audits then rejects a connection request
|
A_REJECT! inline # Audits then rejects a connection request
|
||||||
A_Reject # Audited Default action for REJECT policy
|
A_Reject # Audited Default action for REJECT policy
|
||||||
|
AllowICMPs inline # Allow Required ICMP packets
|
||||||
allowInvalid inline # Accepts packets in the INVALID conntrack state
|
allowInvalid inline # Accepts packets in the INVALID conntrack state
|
||||||
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
|
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
|
||||||
AutoBLL noinline # Helper for AutoBL
|
AutoBLL noinline # Helper for AutoBL
|
||||||
|
|||||||
@@ -110,8 +110,8 @@ TC=
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
ACCEPT_DEFAULT=none
|
ACCEPT_DEFAULT=none
|
||||||
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
||||||
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
|
||||||
NFQUEUE_DEFAULT=none
|
NFQUEUE_DEFAULT=none
|
||||||
QUEUE_DEFAULT=none
|
QUEUE_DEFAULT=none
|
||||||
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
||||||
|
|||||||
@@ -16,7 +16,7 @@ RemainAfterExit=yes
|
|||||||
EnvironmentFile=-/etc/default/shorewall
|
EnvironmentFile=-/etc/default/shorewall
|
||||||
StandardOutput=syslog
|
StandardOutput=syslog
|
||||||
ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
|
ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
|
||||||
ExecStop=/sbin/shorewall $OPTIONS stop
|
ExecStop=/sbin/shorewall $OPTIONS clear
|
||||||
ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS
|
ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
|
|||||||
@@ -15,7 +15,7 @@ RemainAfterExit=yes
|
|||||||
EnvironmentFile=-/etc/default/shorewall6-lite
|
EnvironmentFile=-/etc/default/shorewall6-lite
|
||||||
StandardOutput=syslog
|
StandardOutput=syslog
|
||||||
ExecStart=/sbin/shorewall6-lite $OPTIONS start
|
ExecStart=/sbin/shorewall6-lite $OPTIONS start
|
||||||
ExecStop=/sbin/shorewall6-lite $OPTIONS stop
|
ExecStop=/sbin/shorewall6-lite $OPTIONS clear
|
||||||
ExecReload=/sbin/shorewall6-lite $OPTIONS reload
|
ExecReload=/sbin/shorewall6-lite $OPTIONS reload
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
|
|||||||
@@ -16,7 +16,7 @@ RemainAfterExit=yes
|
|||||||
EnvironmentFile=-/etc/default/shorewall6
|
EnvironmentFile=-/etc/default/shorewall6
|
||||||
StandardOutput=syslog
|
StandardOutput=syslog
|
||||||
ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
|
ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
|
||||||
ExecStop=/sbin/shorewall -6 $OPTIONS stop
|
ExecStop=/sbin/shorewall -6 $OPTIONS clear
|
||||||
ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS
|
ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
|
|||||||
Reference in New Issue
Block a user