forked from extern/shorewall_code
Compare commits
9 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
a98c1d5b35 | ||
|
|
928f54d37c | ||
|
|
073235aa48 | ||
|
|
519fef5e87 | ||
|
|
944651e46d | ||
|
|
bdf0950317 | ||
|
|
2fb1f9db01 | ||
|
|
c3661ad476 | ||
|
|
a4dcc3f555 |
@@ -16,7 +16,7 @@ RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/default/shorewall-lite
|
||||
StandardOutput=syslog
|
||||
ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
|
||||
ExecStop=/sbin/shorewall-lite $OPTIONS stop
|
||||
ExecStop=/sbin/shorewall-lite $OPTIONS clear
|
||||
ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
|
||||
|
||||
[Install]
|
||||
|
||||
11
Shorewall/Actions/action.AllowICMPs
Normal file
11
Shorewall/Actions/action.AllowICMPs
Normal file
@@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.AllowICMPs
|
||||
#
|
||||
# This action ACCEPTs needed ICMP types.
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
||||
|
||||
DEFAULTS ACCEPT
|
||||
@1 - - icmp fragmentation-needed {comment="Needed ICMP types"}
|
||||
@1 - - icmp time-exceeded {comment="Needed ICMP types"}
|
||||
@@ -20,7 +20,7 @@
|
||||
# @2.
|
||||
###############################################################################
|
||||
?if $1 eq 'BLACKLIST'
|
||||
?if $BLACKLIST_LOGLEVEL
|
||||
?if $BLACKLIST_LOG_LEVEL
|
||||
blacklog
|
||||
?else
|
||||
$BLACKLIST_DISPOSITION
|
||||
|
||||
@@ -1,13 +0,0 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/macro.AllowICMPs
|
||||
#
|
||||
# This macro ACCEPTs needed ICMP types.
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
||||
|
||||
?COMMENT Needed ICMP types
|
||||
|
||||
DEFAULT ACCEPT
|
||||
PARAM - - icmp fragmentation-needed
|
||||
PARAM - - icmp time-exceeded
|
||||
@@ -2995,58 +2995,70 @@ sub process_compiler_directive( $$$$ ) {
|
||||
} ,
|
||||
|
||||
ERROR => sub() {
|
||||
directive_error( evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ) ,
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
unless ( $omitting ) {
|
||||
directive_error( evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ) ,
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
}
|
||||
} ,
|
||||
|
||||
WARNING => sub() {
|
||||
directive_warning( $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
unless ( $omitting ) {
|
||||
directive_warning( $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
}
|
||||
} ,
|
||||
|
||||
INFO => sub() {
|
||||
directive_info( $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
unless ( $omitting ) {
|
||||
directive_info( $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
}
|
||||
} ,
|
||||
|
||||
'WARNING!' => sub() {
|
||||
directive_warning( ! $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
unless ( $omitting ) {
|
||||
directive_warning( ! $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
}
|
||||
} ,
|
||||
|
||||
'INFO!' => sub() {
|
||||
directive_info( ! $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
unless ( $omitting ) {
|
||||
directive_info( ! $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
}
|
||||
} ,
|
||||
|
||||
REQUIRE => sub() {
|
||||
fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
|
||||
fatal_error "Unknown capability ($expression}" unless $capabilities{$expression};
|
||||
require_capability( $expression, "The $actparams{action} action", 's' );
|
||||
unless ( $omitting ) {
|
||||
fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
|
||||
fatal_error "Unknown capability ($expression)" unless exists $capabilities{$expression};
|
||||
require_capability( $expression, "The $actparams{action} action", 's' );
|
||||
}
|
||||
} ,
|
||||
|
||||
);
|
||||
|
||||
@@ -372,6 +372,7 @@ sub initialize( $ ) {
|
||||
'icmp-host-prohibited' => 1,
|
||||
'icmp-admin-prohibited' => 1,
|
||||
'icmp-tcp-reset' => 2,
|
||||
'tcp-reset' => 2,
|
||||
);
|
||||
|
||||
} else {
|
||||
@@ -947,13 +948,14 @@ sub add_policy_rules( $$$$$ ) {
|
||||
#
|
||||
# Default action is an inline
|
||||
#
|
||||
( undef, my $level ) = split /:/, $paction, 2;
|
||||
( $action, my $param ) = get_target_param( $action );
|
||||
|
||||
process_inline( $action, #Inline
|
||||
$chainref, #Chain
|
||||
'', #Matches
|
||||
'', #Matches1
|
||||
$loglevel, #Log Level and Tag
|
||||
$level || '', #Log Level and Tag
|
||||
$paction, #Target
|
||||
$param || '', #Param
|
||||
'-', #Source
|
||||
@@ -1930,12 +1932,12 @@ sub process_action(\$\$$) {
|
||||
|
||||
progress_message2 "$doing $actionfile for chain $chainref->{name}...";
|
||||
|
||||
push_open $actionfile, 2, 1, undef, 2;
|
||||
|
||||
my $oldparms = push_action_params( $action, $chainref, $param, $level, $tag, $caller );
|
||||
my $options = $actionref->{options};
|
||||
my $nolog = $options & ( NOLOG_OPT | LOGJUMP_OPT );
|
||||
|
||||
push_open $actionfile, 2, 1, undef, 2;
|
||||
|
||||
setup_audit_action( $action ) if $options & AUDIT_OPT;
|
||||
|
||||
$active{$action}++;
|
||||
@@ -2917,6 +2919,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
||||
# tcp-reset
|
||||
#
|
||||
fatal_error "tcp-reset may only be used with PROTO tcp" unless ( resolve_proto( $proto ) || 0 ) == TCP;
|
||||
$exceptionrule = '-p 6 ';
|
||||
$param = 'tcp-reset';
|
||||
}
|
||||
|
||||
$action = "REJECT --reject-with $param";
|
||||
|
||||
@@ -2312,9 +2312,10 @@ EOF
|
||||
EOF
|
||||
|
||||
}
|
||||
|
||||
return ( $mangle, $fn1 );
|
||||
}
|
||||
|
||||
return ( $mangle, $fn1 );
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
|
||||
@@ -110,8 +110,8 @@ TC=
|
||||
###############################################################################
|
||||
|
||||
ACCEPT_DEFAULT=none
|
||||
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
||||
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
||||
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
||||
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
|
||||
NFQUEUE_DEFAULT=none
|
||||
QUEUE_DEFAULT=none
|
||||
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
||||
|
||||
@@ -121,8 +121,8 @@ TC=
|
||||
###############################################################################
|
||||
|
||||
ACCEPT_DEFAULT=none
|
||||
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
||||
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
||||
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
||||
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
|
||||
NFQUEUE_DEFAULT=none
|
||||
QUEUE_DEFAULT=none
|
||||
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
||||
|
||||
@@ -118,8 +118,8 @@ TC=
|
||||
###############################################################################
|
||||
|
||||
ACCEPT_DEFAULT=none
|
||||
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
||||
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
||||
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
||||
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
|
||||
NFQUEUE_DEFAULT=none
|
||||
QUEUE_DEFAULT=none
|
||||
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
||||
|
||||
@@ -121,8 +121,8 @@ TC=
|
||||
###############################################################################
|
||||
|
||||
ACCEPT_DEFAULT=none
|
||||
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
||||
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
||||
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
||||
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
|
||||
NFQUEUE_DEFAULT=none
|
||||
QUEUE_DEFAULT=none
|
||||
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
||||
|
||||
@@ -25,6 +25,7 @@ A_Drop # Audited Default Action for DROP policy
|
||||
A_REJECT noinline,logjump # Audits then rejects a connection request
|
||||
A_REJECT! inline # Audits then rejects a connection request
|
||||
A_Reject # Audited Default action for REJECT policy
|
||||
AllowICMPs inline # Allow Required ICMP packets
|
||||
allowInvalid inline # Accepts packets in the INVALID conntrack state
|
||||
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
|
||||
AutoBLL noinline # Helper for AutoBL
|
||||
|
||||
@@ -110,8 +110,8 @@ TC=
|
||||
###############################################################################
|
||||
|
||||
ACCEPT_DEFAULT=none
|
||||
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
||||
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
||||
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs,dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
||||
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"
|
||||
NFQUEUE_DEFAULT=none
|
||||
QUEUE_DEFAULT=none
|
||||
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
||||
|
||||
@@ -16,7 +16,7 @@ RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/default/shorewall
|
||||
StandardOutput=syslog
|
||||
ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
|
||||
ExecStop=/sbin/shorewall $OPTIONS stop
|
||||
ExecStop=/sbin/shorewall $OPTIONS clear
|
||||
ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS
|
||||
|
||||
[Install]
|
||||
|
||||
@@ -15,7 +15,7 @@ RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/default/shorewall6-lite
|
||||
StandardOutput=syslog
|
||||
ExecStart=/sbin/shorewall6-lite $OPTIONS start
|
||||
ExecStop=/sbin/shorewall6-lite $OPTIONS stop
|
||||
ExecStop=/sbin/shorewall6-lite $OPTIONS clear
|
||||
ExecReload=/sbin/shorewall6-lite $OPTIONS reload
|
||||
|
||||
[Install]
|
||||
|
||||
@@ -16,7 +16,7 @@ RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/default/shorewall6
|
||||
StandardOutput=syslog
|
||||
ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
|
||||
ExecStop=/sbin/shorewall -6 $OPTIONS stop
|
||||
ExecStop=/sbin/shorewall -6 $OPTIONS clear
|
||||
ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS
|
||||
|
||||
[Install]
|
||||
|
||||
Reference in New Issue
Block a user