On 5/23/11 6:48 PM, Mr Dash Four wrote: > >>>> I didn't expect A_DROPs -- look at the generated rules again. >>>> >>>> >>> Do I look at the generated .start or somewhere else? >>> >> >> Or start the thing and look at 'shorewall show'. You need to follow the >> rules to where your modified actions are invoked and then see what they >> invoke. >> > "shorewall show" outputs this: > > Chain ADrop (4 references) > pkts bytes target prot opt in out source > destination > 0 0 all -- * * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 A_REJECT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:113 /* Auth */ > 0 0 %dropBcast all -- * * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 icmp type 3 code 4 /* Needed ICMP types */ > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 icmp type 11 /* Needed ICMP types */ > 0 0 %dropInvalid all -- * * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 A_DROP udp -- * * 0.0.0.0/0 > 0.0.0.0/0 multiport dports 135,445 /* SMB */ > 0 0 A_DROP udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpts:137:139 /* SMB */ > 0 0 A_DROP udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */ > 0 0 A_DROP tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 multiport dports 135,139,445 /* SMB */ > 0 0 DROP udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:1900 /* UPnP */ > 0 0 %dropNotSyn tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 DROP udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ > > Chain AReject (0 references) > pkts bytes target prot opt in out source > destination > 0 0 all -- * * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 A_REJECT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:113 /* Auth */ > 0 0 %dropBcast all -- * * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 icmp type 3 code 4 /* Needed ICMP types */ > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 icmp type 11 /* Needed ICMP types */ > 0 0 %dropInvalid all -- * * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 A_REJECT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 multiport dports 135,445 /* SMB */ > 0 0 A_REJECT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpts:137:139 /* SMB */ > 0 0 A_REJECT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */ > 0 0 A_REJECT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 multiport dports 135,139,445 /* SMB */ > 0 0 DROP udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:1900 /* UPnP */ > 0 0 %dropNotSyn tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 DROP udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ > > Notice the ACCEPT and DROP jumps in both chains. I have this in my > action.AReject and action.ADrop respectively: > > AllowICMPs(audit) - - icmp > DropUPnP(audit) > DropDNSrep(audit) > > So, shouldn't the above be A_ACCEPT and A_DROP instead of ACCEPT and > DROP then?
No -- not unless you have modified the macros like I suggested in an earlier post. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
