Re: [Shorewall-devel] Shorewall 4.4.20 Beta 3

Tom Eastep Mon, 23 May 2011 18:48:00 -0700

On 5/23/11 6:34 PM, Tom Eastep wrote:
> On 5/23/11 6:24 PM, Mr Dash Four wrote:
>>
>>>> Yeah, it did. After further testing I found this:
>>>>
>>>> AllowICMPs(audit) does not produce any audit jumps, but still uses 
>>>> ACCEPT statements. Similarly, DropUPnP(audit) just DROPs instead of 
>>>> A_DROP. Same goes for DropDNS(audit) - DROP is the iptables statement 
>>>> instead of A_DROP.
>>>>     
>>>
>>> I didn't expect A_DROPs -- look at the generated rules again.
>>>   
>> Do I look at the generated .start or somewhere else?
> 
> Or start the thing and look at 'shorewall show'. You need to follow the
> rules to where your modified actions are invoked and then see what they
> invoke.


I did a simple test.

a) cp /usr/share/shorewall/action.Drop /etc/shorewall/
b) Changed 'dropBcast' to 'dropBcast(audit)' in /etc/shorewall/action.Drop
c) shorewall restart

Shorewall show includes:

oot@gateway:/etc/shorewall# shorewall show Drop
Shorewall 4.4.20-Beta3 Chain Drop at gateway - Mon May 23 18:44:06 PDT 2011

Counters reset Mon May 23 18:41:19 PDT 2011

Chain Drop (6 references)
 pkts bytes target     prot opt in     out     source
destination
    2    96            all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:113 /* Auth */
    2    96 %dropBcast  all  --  *      *       0.0.0.0/0
0.0.0.0/0
            ----------

and this

oot@gateway:/etc/shorewall# shorewall show %dropBcast
Shorewall 4.4.20-Beta3 Chain %dropBcast at gateway - Mon May 23 18:44:55
PDT 2011

Counters reset Mon May 23 18:41:19 PDT 2011

Chain %dropBcast (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 A_DROP     all  --  *      *       0.0.0.0/0
0.0.0.0/0           ADDRTYPE match dst-type BROADCAST
    0     0 A_DROP     all  --  *      *       0.0.0.0/0
224.0.0.0/4

root@gateway:/etc/shorewall#


-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Re: [Shorewall-devel] Shorewall 4.4.20 Beta 3

Reply via email to