On 05/24/2011 04:43 AM, Mr Dash Four wrote: > >>>>> AllowICMPs(audit) - - icmp >>>>> DropUPnP(audit) >>>>> DropDNSrep(audit) >>>>> >>>>> So, shouldn't the above be A_ACCEPT and A_DROP instead of ACCEPT and >>>>> DROP then? >>>>> >>>>> >>>> No -- not unless you have modified the macros like I suggested in an >>>> earlier post. >>>> >>>> >>> So, in other words, specifying "audit" in the above 3 macros is >>> completely meaningless then? >>> >> >> You are an output-only device which I'm now shutting off for the night. >> > Yeah, as if! > > If I understood you correctly, your earlier "suggestion" was this: > >> I would >> >> [...] >> - Modify the copy as needed. You might also need to copy macros like >> macro.SMB that are invoked by the action if you want audited copies of those >> as well >> > So, in order to make a default action fully accept "audit" (something > you claim is now "supported" in .20-Beta3) I have to 1) find out what > macros these default actions depend on; 2) decide (by means of testing) > which of those macros support "audit" and which do not; 3) copy, then > edit, then change those macros that do not support "audit"; 4) edit my > actions file to reflect these changes I have just made and finally 5) > change my shorewall.conf to add these newly-defined "custom actions" in? > > Right! Do you think I have the word "Goofy" imprinted on my forehead by > any chance?
I was (foolishly) hoping that you would create and contribute audited versions of the standard default actions (and learn something about Shorewall in the process) but I see that was a pipe dream. So I spent 11 minutes and created them myself. Hopefully you will be able to integrate these into your configuration. If not, you can wait until Beta 4 when they will be included in the standard product. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
# # Shorewall version 4 - Drop Action # # /usr/share/shorewall/action.Drop # # The default DROP common rules # # This action is invoked before a DROP policy is enforced. The purpose # of the action is: # # a) Avoid logging lots of useless cruft. # b) Ensure that 'auth' requests are rejected, even if the policy is # DROP. Otherwise, you may experience problems establishing # connections with servers that use auth. # c) Ensure that certain ICMP packets that are necessary for successful # internet operation are always ACCEPTed. # # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! # ############################################################################### #TARGET SOURCE DEST PROTO DPORT SPORT # # Count packets that come through here # COUNT # # Reject 'auth' # Auth(A_REJECT) # # Don't log broadcasts # dropBcast(audit) # # ACCEPT critical ICMP types # AllowICMPs - - icmp # # Drop packets that are in the INVALID state -- these are usually ICMP packets # and just confuse people when they appear in the log. # dropInvalid(audit) # # Drop Microsoft noise so that it doesn't clutter up the log. # SMB(A_DROP) ADropUPnP # # Drop 'newnotsyn' traffic so that it doesn't get logged. # dropNotSyn(audit) - - tcp # # Drop late-arriving DNS replies. These are just a nuisance and clutter up # the log. # DropDNSrep
# # Shorewall version 4 - Reject Action # # /usr/share/shorewall/action.Reject # # The default REJECT action common rules # # This action is invoked before a REJECT policy is enforced. The purpose # of the action is: # # a) Avoid logging lots of useless cruft. # b) Ensure that certain ICMP packets that are necessary for successful # internet operation are always ACCEPTed. # # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! ############################################################################### #TARGET SOURCE DEST PROTO # # Count packets that come through here # COUNT # # Don't log 'auth' -- REJECT # Auth(A_REJECT) # # Drop Broadcasts so they don't clutter up the log # (broadcasts must *not* be rejected). # dropBcast(audit) # # ACCEPT critical ICMP types # AAllowICMPs - - icmp # # Drop packets that are in the INVALID state -- these are usually ICMP packets # and just confuse people when they appear in the log (these ICMPs cannot be # rejected). # dropInvalid(audit) # # Reject Microsoft noise so that it doesn't clutter up the log. # SMB(A_REJECT) ADropUPnP # # Drop 'newnotsyn' traffic so that it doesn't get logged. # dropNotSyn(audit) - - tcp # # Drop late-arriving DNS replies. These are just a nuisance and clutter up # the log. # ADropDNSrep
# # Shorewall version 4 - Audited AllowICMPs Macro # # /usr/share/shorewall/macro.AAllowICMPs # # This macro A_ACCEPTs needed ICMP types # ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP COMMENT Needed ICMP types A_ACCEPT - - icmp fragmentation-needed A_ACCEPT - - icmp time-exceeded
# # Shorewall version 4 - Audited DropDNSrep Macro # # /usr/share/shorewall/macro.ADropDNSrep # # This macro silently audites and drops DNS UDP replies # ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP COMMENT Late DNS Replies A_DROP - - udp - 53
# # Shorewall version 4 - ADropUPnP Macro # # /usr/share/shorewall/macro.ADropUPnP # # This macro silently drops UPnP probes on UDP port 1900 # ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP COMMENT UPnP A_DROP - - udp 1900
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
