# # Shorewall version 4 - Action to handle bad TCP flag combinations # # /usr/share/shorewall/action.TCPFlags # # Accepts two optional parameters: # # Parameter 1: Disposition (default DROP). # Must be ACCEPT, REJECT or DROP # Parameter 2: Auditing # - = Do not Audit # audit = Audit ACCEPT, REJECT or DROP. # ################################################################################# FORMAT 2 DEFAULTS DROP,- BEGIN PERL; use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6); use Shorewall::Chains; my ( $disposition, $audit ) = get_action_params( 2 ); my $chainref = get_action_chain; my ( $level, $tag ) = get_action_logging; fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/; if ( $level ne '-' || $audit ne '-' ) { my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0; log_rule_limit( $level, $logchainref, $chainref->{name}, $disposition, '', $tag, 'add', '' ) if $level; if ( supplied $audit ) { fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit'; require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's'; add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition ); } add_ijump( $logchainref, g => $disposition ); $disposition = $logchainref; } add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH'; add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE'; add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST'; add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN'; add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0'; END PERL;