On 8/30/2013 7:33 PM, Mark van Dijk wrote: > Hi Tom, list members, > > With Shorewall's REJECT rule handling, the firewall generates a RST for > TCP and an ICMP 3/1 destination host unreachable for the other > protocols. I think it is not possible to customise this behaviour. > Unless I overlooked something but I hope not, for the sake of this email. :) > > Since the stack supports specifying type 3 rejection codes I am hoping > shorewall could support it too. In my case I'd like the firewall to > return code 15 "Communication administratively prohibited" or code 8 > "Source host isolated" for when I'm in a BOFH mood. > > One simple suggestion is to define a new PROHIBIT target with a static > alternative set in shorewall.conf. > > I would have suggested it to be configurable on a per-rule basis but > remain unsure if that would require too much work for its purpose. >
In 4.5.21, it will be possible to do that. See the sample action below.
Note that it doesn't work with earlier versions because the compiler
rejects the '--reject-with' option when '-j REJECT' is used with INLINE.
>
> Probably not: the Internet is a much bigger place these days. Although
> it does feel like the opposite, doesn't it?
>
> While unintended it sounds cynical to say "thank you" here so let me try
> "kind regards" instead.*
>
:-)
The following is from the 4.5.21 Beta 1 release notes. I will be
uploading Beta 1 later this week.
1) When a REJECT target is specified, Shorewall normally handles the
packet as follows:
- If the destination address is a broadcast or multicast address,
the packet is dropped.
- If the protocol is IGMP (1), then the packet is dropped.
- If the protocol is TCP (6) then the packet is rejected with an
RST.
- If the protocol is UDP (17) then the packet is rejected with
a 'port-unreachable' ICMP (ICMP6).
- If the protocol is ICMP (ICMP6), then the packet is rejected
with a 'host-unreachable' ('addr-unreachable') ICMP (ICMP6).
- Otherwise, the packet is rejected with a 'host-prohibited'
(adm-prohibited) ICMP (ICMP6).
Beginning with this release, this behavior may be modified using
the new REJECT_ACTION option in shorewall.conf (shorewall6.conf).
REJECT_ACTION=<action>
where <action> is the name of an action that implements your
alternative handling. The 'nolog' option is automatically assumed
for the named <action> and it is recommended that the 'inline'
option be specified for the action in /etc/shorewall/actions.
The following action implements the standard behavior described
above:
?format 2
#TARGET SOURCE DEST PROTO
Broadcast(DROP) - - -
DROP - - 2
INLINE - - 6 ; -j REJECT --reject-with
tcp-reset
?if __ENHANCED_REJECT
INLINE - - 17 ; -j REJECT
?if __IPV4
INLINE - - 1 ; -j REJECT --reject-with
icmp-host-unreachable
INLINE - - - ; -j REJECT --reject-with
icmp-host-prohibited
?else
INLINE - - 58 ; -j REJECT --reject-with
icmp6-addr-unreachable
INLINE - - - ; -j REJECT --reject-with
icmp6-adm-prohibited
?endif
?else
INLINE - - - ; -j REJECT
?endif
Cheers,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
