Thank you very much Tom for this solution but I have a problem with new function set_comment during compilation
Checking /etc/shorewall/action.DNSR for chain DNSR... ERROR: Undefined subroutine &Shorewall::User::set_comment called at /etc/shorewall/action.DNSR line 22. Naturally I patch the file /usr/share/shorewall/Shorewall/Config.pm shorewall version: 4.5.18 After some search I found a stupid fix but I want you approve it! I add "use Shorewall::Config qw(:DEFAULT :internal);" after add_drop_rule definition I can't test it now.. What do you think about it? Thanks for support Luca ----- Messaggio originale ----- | Da: "Tom Eastep" <teas...@shorewall.net> | A: "Shorewall Users" <shorewall-users@lists.sourceforge.net> | Inviato: Lunedì, 23 settembre 2013 19:47:17 | Oggetto: Re: [Shorewall-users] Custom iptables rules to drop DNS Amplification Attacks | | On 9/23/2013 5:41 AM, Luca Camillo wrote: | > Hi all, I need an help to implement this kind of rules on | > shorewall: | > iptables --insert INPUT -p udp --dport 53 -m u32 --u32 | > "0x28&0xFFDFDFDF=0x055a5a47 && 0x2c&0xDFDFFFDF=0x53540343 && | > 0x30&0xDFDFFFFF=0x4f4d0000" -j DROP | > | > This kind of rules need to block a DNS Amplification Attack. | > I found this file | > https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt | > where we can find iptables rules to prevent this kind of attack by | > filter message request. | > | > I already found | > http://www.shorewall.net/pub/shorewall/contrib/DNSDDOS/ but seems | > old and ineffective | > | > Is there any way to do that on shorewall? | | Yes. | | /etc/shorewall/actions: | | DNSR | | /etc/shorewall/rules: | | DNSR net all udp 53 | | Attached is a file named action.DNSR which needs to be moved to | /etc/shorewall. That file only implements the first three rules from | the | example -- the rest are left to those that want to implement this (I | think it is pretty obvious how to add the additional rules). | | Also attached is a patch which must be applied to Config.pm. That | file | may be installed in /usr/share/shorewall/Shorewall or somewhere under | /usr/share/perl*. | | patch <path to>/Config.pm < ADDCOMMENT.patch | | -Tom | -- | Tom Eastep \ When I die, I want to go like my Grandfather who | Shoreline, \ died peacefully in his sleep. Not screaming like | Washington, USA \ all of the passengers in his car | http://shorewall.net | \________________________________________________ | | ------------------------------------------------------------------------------ | October Webinars: Code for Performance | Free Intel webinars can help you accelerate application performance. | Explore tips for MPI, OpenMP, advanced profiling, and more. Get the | most from | the latest Intel processors and coprocessors. See abstracts and | register > | http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk | _______________________________________________ | Shorewall-users mailing list | Shorewall-users@lists.sourceforge.net | https://lists.sourceforge.net/lists/listinfo/shorewall-users | ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
