‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On April 16, 2018 10:56 AM, Tom Eastep <teas...@shorewall.net> wrote:

> ​​
> 
> On 04/16/2018 10:50 AM, colony.three--- via Shorewall-users wrote:
> 
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > 
> > On April 16, 2018 10:42 AM, Tom Eastep teas...@shorewall.net wrote:
> > 
> > > On 04/16/2018 10:24 AM, colony.three--- via Shorewall-users wrote:
> > > 
> > > > Anyone seen this?
> > > > 
> > > > Nov 29 01:42:29 Compiling MAC Filtration -- Phase 2...
> > > > 
> > > > Nov 29 01:42:29 Applying Policies...
> > > > 
> > > > Nov 29 01:42:29 Compiling /usr/share/shorewall/action.Broadcast for
> > > > 
> > > > chain Broadcast...
> > > > 
> > > > Nov 29 01:42:29    ERROR: Invalid parameter (DROP),Multicast(DROP)
> > > > 
> > > > /usr/share/shorewall/action.Broadcast (line 1)
> > > > 
> > > > from  (line EOF)
> > > > 
> > > > shorewall version
> > > > =================
> > > > 
> > > > 5.0.15.6
> > > 
> > > Don't see why you would be getting that message on 5.0.15.6. What does
> > > 
> > > your /usr/share/shorewall/action.Broadcast look like?
> 
> What is your setting of DROP_DEFAULT in shorewall.conf?
> 
> -Tom
> 


DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"

I didn't change it, but commenting it out does not help.  Same with the other 
settings which specify (DROP),Multicast(DROP).

I do have a restrictive sysctl, if that makes any difference.  It's working 
fine on all my other (CentOS7.4) machines. (attached)


#--------------------------------------------------
# Security

########## Kernel config START ##############

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Kernel EXEC shield - for RedHat, CentOS, ...
#kernel.exec-shield = 1

# Make the addresses of mmap base, stack, heap and VDSO page randomized
kernel.randomize_va_space = 2

# Reboot system when kernel panic occur, oops will wait 30 seconds until call 
panic()
kernel.panic = 30
kernel.panic_on_oops = 30

# Disable magic-sysrq key
kernel.sysrq = 0

# No core dumps for SUID
fs.suid_dumpable = 0

# Set maximum amount of memory allocated to shm to 256MB
kernel.shmmax = 268435456

# Hide exposed kernel pointers regardless of privileges (2.6.38)
kernel.kptr_restrict = 2

# NULL pointer dereference, lowest virtual address which process can use for 
mapping
vm.mmap_min_addr = 4096

# Maximum number of file handles that the Linux kernel will allocate
fs.file-max = 65000

# Allow more PIDs
kernel.pid_max = 65536

########## Kernel config END ##############

########## IPv4 networking START ##############

# Increase the maximum amount of option memory buffers
net.core.optmem_max = 57344

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Disable Proxy ARP
net.ipv4.proxy_arp = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Enable tcp_window_scaling
net.ipv4.tcp_window_scaling = 1

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Prevent SYN attack
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_synack_retries = 2

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Log packets with impossible addresses to kernel
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0

# Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.forwarding=0
net.ipv4.conf.all.mc_forwarding=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0

# Buffer size autotuning - buffer size (and tcp window size) is dynamically 
updated for each connection.
# This option is not present in kernels older then 2.4.27 or 2.6.7 - update 
your kernel
# In that case tuning options net.ipv4.tcp_wmem and net.ipv4.tcp_rmem isnt 
recommended
net.ipv4.tcp_moderate_rcvbuf = 1

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Increase allowed local port range
net.ipv4.ip_local_port_range = 1024 64000

# Increase the maximum memory used to reassemble IP fragments
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464

########## IPv4 networking END ##############

########## IPv6 networking START ##############

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# Controls IP packet forwarding
net.ipv6.ip_forward = 0

# This is not a router (RADVD) so accept ads
#net.ipv6.conf.all.accept_ra=1

# Number of Router Solicitations to send until assuming no routers are present.
# This is host and not router
#net.ipv6.conf.default.router_solicitations = 0

# Accept Router Preference in RA?
#net.ipv6.conf.default.accept_ra_rtr_pref = 1

# Learn Prefix Information in Router Advertisement
#net.ipv6.conf.default.accept_ra_pinfo = 1

# Setting controls whether the system will accept Hop Limit settings from a 
router advertisement
#net.ipv6.conf.default.accept_ra_defrtr = 1

# Router advertisements can cause the system to assign a global unicast address 
to an interface
#net.ipv6.conf.default.autoconf = 0

# How many neighbor solicitations to send out per address?
#net.ipv6.conf.default.dad_transmits = 0

# How many global unicast IPv6 addresses can be assigned to each interface?
net.ipv6.conf.default.max_addresses = 1

########## IPv6 networking END ##############

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to