forked from extern/shorewall_code
66 lines
1.8 KiB
Plaintext
66 lines
1.8 KiB
Plaintext
#
|
|
# Shorewall version 4 - Action to handle bad TCP flag combinations
|
|
#
|
|
# /usr/share/shorewall/action.TCPFlags
|
|
#
|
|
# Accepts two optional parameters:
|
|
#
|
|
# Parameter 1: Disposition (default DROP).
|
|
# Must be ACCEPT, REJECT or DROP
|
|
# Parameter 2: Auditing
|
|
# - = Do not Audit
|
|
# audit = Audit ACCEPT, REJECT or DROP.
|
|
#
|
|
#################################################################################
|
|
FORMAT 2
|
|
|
|
DEFAULTS DROP,-
|
|
|
|
BEGIN PERL;
|
|
use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
|
|
use Shorewall::Chains;
|
|
|
|
|
|
my ( $disposition, $audit ) = get_action_params( 2 );
|
|
|
|
my $chainref = get_action_chain;
|
|
my ( $level, $tag ) = get_action_logging;
|
|
|
|
fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;
|
|
|
|
if ( $level ne '-' || $audit ne '-' ) {
|
|
my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
|
|
|
|
log_rule_limit( $level,
|
|
$logchainref,
|
|
$chainref->{name},
|
|
$disposition,
|
|
'',
|
|
$tag,
|
|
'add',
|
|
'' ) if $level;
|
|
|
|
if ( supplied $audit ) {
|
|
fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit';
|
|
require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
|
|
add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
|
|
}
|
|
|
|
add_ijump( $logchainref, g => $disposition );
|
|
|
|
$disposition = $logchainref;
|
|
}
|
|
|
|
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
|
|
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
|
|
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
|
|
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
|
|
add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
|
|
|
|
END PERL;
|
|
|
|
|
|
|
|
|
|
|