>>> I didn't expect A_DROPs -- look at the generated rules again.
>>>
>>>
>> Do I look at the generated .start or somewhere else?
>>
>
> Or start the thing and look at 'shorewall show'. You need to follow the
> rules to where your modified actions are invoked and then see what they
> invoke.
>
"shorewall show" outputs this:
Chain ADrop (4 references)
pkts bytes target prot opt in out source
destination
0 0 all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 A_REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113 /* Auth */
0 0 %dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 11 /* Needed ICMP types */
0 0 %dropInvalid all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 A_DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,445 /* SMB */
0 0 A_DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139 /* SMB */
0 0 A_DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */
0 0 A_DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900 /* UPnP */
0 0 %dropNotSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 /* Late DNS Replies */
Chain AReject (0 references)
pkts bytes target prot opt in out source
destination
0 0 all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 A_REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113 /* Auth */
0 0 %dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 11 /* Needed ICMP types */
0 0 %dropInvalid all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 A_REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,445 /* SMB */
0 0 A_REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139 /* SMB */
0 0 A_REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */
0 0 A_REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900 /* UPnP */
0 0 %dropNotSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 /* Late DNS Replies */
Notice the ACCEPT and DROP jumps in both chains. I have this in my
action.AReject and action.ADrop respectively:
AllowICMPs(audit) - - icmp
DropUPnP(audit)
DropDNSrep(audit)
So, shouldn't the above be A_ACCEPT and A_DROP instead of ACCEPT and
DROP then?
------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery,
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now.
http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
