API tools faq
paste
Advertisement
AndrzejL

Shorewall

AndrzejL
Dec 9th, 2012
210
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 22.97 KB | None | 0 0
raw download clone embed print report
  1. [root@wishmacer andrzejl]# systemctl start shorewall.service
  2. [root@wishmacer andrzejl]# systemctl status shorewall.service
  3. shorewall.service - Shorewall IPv4 firewall
  4. Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled)
  5. Active: active (exited) since Sun, 2012-12-09 16:17:50 GMT; 4s ago
  6. Process: 8206 ExecStop=/usr/sbin/shorewall $OPTIONS stop (code=exited, status=0/SUCCESS)
  7. Process: 8272 ExecStart=/usr/sbin/shorewall $OPTIONS start (code=exited, status=0/SUCCESS)
  8. CGroup: name=systemd:/system/shorewall.service
  9.  
  10. Dec 09 16:17:50 wishmacer.loc shorewall[8272]: Setting up Martian Logging...
  11. Dec 09 16:17:50 wishmacer.loc shorewall[8272]: Setting up Proxy ARP...
  12. Dec 09 16:17:50 wishmacer.loc shorewall[8272]: Preparing iptables-restore input...
  13. Dec 09 16:17:50 wishmacer.loc shorewall[8272]: Running /usr/sbin/iptables-restore...
  14. Dec 09 16:17:50 wishmacer.loc shorewall[8272]: IPv4 Forwarding Enabled
  15. Dec 09 16:17:50 wishmacer.loc shorewall[8272]: Processing /etc/shorewall/start ...
  16. Dec 09 16:17:50 wishmacer.loc shorewall[8272]: Processing /etc/shorewall/started ...
  17. Dec 09 16:17:50 wishmacer.loc logger[8566]: Shorewall started
  18. Dec 09 16:17:50 wishmacer.loc shorewall[8272]: done.
  19. Dec 09 16:17:50 wishmacer.loc systemd[1]: Started Shorewall IPv4 firewall.
  20. [root@wishmacer andrzejl]# shorewall show
  21. Shorewall 4.5.10 filter Table at wishmacer.loc - Sun 9 Dec 16:17:58 GMT 2012
  22.  
  23. Counters reset Sun Dec 9 16:17:50 GMT 2012
  24.  
  25. Chain INPUT (policy DROP 0 packets, 0 bytes)
  26. pkts bytes target prot opt in out source destination
  27. 853 37880 net2fw all -- eth0 * 0.0.0.0/0 0.0.0.0/0
  28. 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
  29. 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
  30. 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:INPUT:REJECT:"
  31. 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
  32.  
  33. Chain FORWARD (policy DROP 0 packets, 0 bytes)
  34. pkts bytes target prot opt in out source destination
  35. 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
  36. 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:FORWARD:REJECT:"
  37. 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
  38.  
  39. Chain OUTPUT (policy DROP 0 packets, 0 bytes)
  40. pkts bytes target prot opt in out source destination
  41. 3 152 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
  42. 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
  43. 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
  44. 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:OUTPUT:REJECT:"
  45. 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
  46.  
  47. Chain Broadcast (2 references)
  48. pkts bytes target prot opt in out source destination
  49. 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
  50. 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
  51. 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
  52. 0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
  53.  
  54. Chain Drop (1 references)
  55. pkts bytes target prot opt in out source destination
  56. 850 37400 all -- * * 0.0.0.0/0 0.0.0.0/0
  57. 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */
  58. 850 37400 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
  59. 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */
  60. 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */
  61. 850 37400 Invalid all -- * * 0.0.0.0/0 0.0.0.0/0
  62. 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */
  63. 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */
  64. 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */
  65. 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */
  66. 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */
  67. 850 37400 NotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
  68. 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */
  69.  
  70. Chain Invalid (2 references)
  71. pkts bytes target prot opt in out source destination
  72. 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
  73.  
  74. Chain NotSyn (2 references)
  75. pkts bytes target prot opt in out source destination
  76. 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02
  77.  
  78. Chain Reject (3 references)
  79. pkts bytes target prot opt in out source destination
  80. 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
  81. 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */
  82. 0 0 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
  83. 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */
  84. 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */
  85. 0 0 Invalid all -- * * 0.0.0.0/0 0.0.0.0/0
  86. 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */
  87. 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */
  88. 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */
  89. 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */
  90. 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */
  91. 0 0 NotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
  92. 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */
  93.  
  94. Chain dynamic (1 references)
  95. pkts bytes target prot opt in out source destination
  96.  
  97. Chain fw2net (1 references)
  98. pkts bytes target prot opt in out source destination
  99. 3 152 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
  100. 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
  101.  
  102. Chain logdrop (0 references)
  103. pkts bytes target prot opt in out source destination
  104. 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
  105.  
  106. Chain logreject (0 references)
  107. pkts bytes target prot opt in out source destination
  108. 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
  109.  
  110. Chain net2fw (1 references)
  111. pkts bytes target prot opt in out source destination
  112. 850 37400 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
  113. 3 480 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
  114. 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:50505
  115. 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
  116. 850 37400 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
  117. 850 37400 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:net2fw:DROP:"
  118. 850 37400 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
  119.  
  120. Chain reject (10 references)
  121. pkts bytes target prot opt in out source destination
  122. 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST
  123. 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
  124. 0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
  125. 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
  126. 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
  127. 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
  128. 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
  129.  
  130. Chain sfilter (0 references)
  131. pkts bytes target prot opt in out source destination
  132. 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:sfilter:DROP:"
  133. 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
  134.  
  135. Chain shorewall (0 references)
  136. pkts bytes target prot opt in out source destination
  137. [root@wishmacer andrzejl]# iptables-save
  138. # Generated by iptables-save v1.4.16.2 on Sun Dec 9 16:18:05 2012
  139. *raw
  140. :PREROUTING ACCEPT [1534:67960]
  141. :OUTPUT ACCEPT [3:152]
  142. -A PREROUTING -p udp -m udp --dport 10080 -j CT --helper amanda
  143. -A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
  144. -A PREROUTING -p tcp -m tcp --dport 6667 -j CT --helper irc
  145. -A PREROUTING -p udp -m udp --dport 137 -j CT --helper netbios-ns
  146. -A PREROUTING -p tcp -m tcp --dport 1723 -j CT --helper pptp
  147. -A PREROUTING -p tcp -m tcp --dport 6566 -j CT --helper sane
  148. -A PREROUTING -p udp -m udp --dport 5060 -j CT --helper sip
  149. -A PREROUTING -p udp -m udp --dport 161 -j CT --helper snmp
  150. -A PREROUTING -p udp -m udp --dport 69 -j CT --helper tftp
  151. -A OUTPUT -p udp -m udp --dport 10080 -j CT --helper amanda
  152. -A OUTPUT -p tcp -m tcp --dport 21 -j CT --helper ftp
  153. -A OUTPUT -p tcp -m tcp --dport 6667 -j CT --helper irc
  154. -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
  155. -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
  156. -A OUTPUT -p tcp -m tcp --dport 6566 -j CT --helper sane
  157. -A OUTPUT -p udp -m udp --dport 5060 -j CT --helper sip
  158. -A OUTPUT -p udp -m udp --dport 161 -j CT --helper snmp
  159. -A OUTPUT -p udp -m udp --dport 69 -j CT --helper tftp
  160. COMMIT
  161. # Completed on Sun Dec 9 16:18:05 2012
  162. # Generated by iptables-save v1.4.16.2 on Sun Dec 9 16:18:05 2012
  163. *nat
  164. :PREROUTING ACCEPT [1531:67480]
  165. :INPUT ACCEPT [0:0]
  166. :OUTPUT ACCEPT [0:0]
  167. :POSTROUTING ACCEPT [0:0]
  168. COMMIT
  169. # Completed on Sun Dec 9 16:18:05 2012
  170. # Generated by iptables-save v1.4.16.2 on Sun Dec 9 16:18:05 2012
  171. *mangle
  172. :PREROUTING ACCEPT [1534:67960]
  173. :INPUT ACCEPT [1534:67960]
  174. :FORWARD ACCEPT [0:0]
  175. :OUTPUT ACCEPT [3:152]
  176. :POSTROUTING ACCEPT [3:152]
  177. :tcfor - [0:0]
  178. :tcin - [0:0]
  179. :tcout - [0:0]
  180. :tcpost - [0:0]
  181. :tcpre - [0:0]
  182. -A PREROUTING -j tcpre
  183. -A INPUT -j tcin
  184. -A FORWARD -j MARK --set-xmark 0x0/0xff
  185. -A FORWARD -j tcfor
  186. -A OUTPUT -j tcout
  187. -A POSTROUTING -j tcpost
  188. COMMIT
  189. # Completed on Sun Dec 9 16:18:05 2012
  190. # Generated by iptables-save v1.4.16.2 on Sun Dec 9 16:18:05 2012
  191. *filter
  192. :INPUT DROP [0:0]
  193. :FORWARD DROP [0:0]
  194. :OUTPUT DROP [0:0]
  195. :Broadcast - [0:0]
  196. :Drop - [0:0]
  197. :Invalid - [0:0]
  198. :NotSyn - [0:0]
  199. :Reject - [0:0]
  200. :dynamic - [0:0]
  201. :fw2net - [0:0]
  202. :logdrop - [0:0]
  203. :logreject - [0:0]
  204. :net2fw - [0:0]
  205. :reject - [0:0]
  206. :sfilter - [0:0]
  207. :shorewall - [0:0]
  208. -A INPUT -i eth0 -j net2fw
  209. -A INPUT -i lo -j ACCEPT
  210. -A INPUT -j Reject
  211. -A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
  212. -A INPUT -g reject
  213. -A FORWARD -j Reject
  214. -A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
  215. -A FORWARD -g reject
  216. -A OUTPUT -o eth0 -j fw2net
  217. -A OUTPUT -o lo -j ACCEPT
  218. -A OUTPUT -j Reject
  219. -A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6
  220. -A OUTPUT -g reject
  221. -A Broadcast -m addrtype --dst-type BROADCAST -j DROP
  222. -A Broadcast -m addrtype --dst-type MULTICAST -j DROP
  223. -A Broadcast -m addrtype --dst-type ANYCAST -j DROP
  224. -A Broadcast -d 224.0.0.0/4 -j DROP
  225. -A Drop
  226. -A Drop -p tcp -m tcp --dport 113 -m comment --comment Auth -j reject
  227. -A Drop -j Broadcast
  228. -A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
  229. -A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
  230. -A Drop -j Invalid
  231. -A Drop -p udp -m multiport --dports 135,445 -m comment --comment SMB -j DROP
  232. -A Drop -p udp -m udp --dport 137:139 -m comment --comment SMB -j DROP
  233. -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j DROP
  234. -A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j DROP
  235. -A Drop -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
  236. -A Drop -p tcp -j NotSyn
  237. -A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
  238. -A Invalid -m conntrack --ctstate INVALID -j DROP
  239. -A NotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
  240. -A Reject
  241. -A Reject -p tcp -m tcp --dport 113 -m comment --comment Auth -j reject
  242. -A Reject -j Broadcast
  243. -A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
  244. -A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
  245. -A Reject -j Invalid
  246. -A Reject -p udp -m multiport --dports 135,445 -m comment --comment SMB -j reject
  247. -A Reject -p udp -m udp --dport 137:139 -m comment --comment SMB -j reject
  248. -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j reject
  249. -A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j reject
  250. -A Reject -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
  251. -A Reject -p tcp -j NotSyn
  252. -A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
  253. -A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  254. -A fw2net -j ACCEPT
  255. -A logdrop -j DROP
  256. -A logreject -j reject
  257. -A net2fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
  258. -A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  259. -A net2fw -p tcp -m tcp --dport 50505 -j ACCEPT
  260. -A net2fw -p tcp -m tcp --dport 113 -j DROP
  261. -A net2fw -j Drop
  262. -A net2fw -j LOG --log-prefix "Shorewall:net2fw:DROP:" --log-level 6
  263. -A net2fw -j DROP
  264. -A reject -m addrtype --src-type BROADCAST -j DROP
  265. -A reject -s 224.0.0.0/4 -j DROP
  266. -A reject -p igmp -j DROP
  267. -A reject -p tcp -j REJECT --reject-with tcp-reset
  268. -A reject -p udp -j REJECT --reject-with icmp-port-unreachable
  269. -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
  270. -A reject -j REJECT --reject-with icmp-host-prohibited
  271. -A sfilter -j LOG --log-prefix "Shorewall:sfilter:DROP:" --log-level 6
  272. -A sfilter -j DROP
  273. COMMIT
  274. # Completed on Sun Dec 9 16:18:05 2012
  275. [root@wishmacer andrzejl]# iptables --list
  276. Chain INPUT (policy DROP)
  277. target prot opt source destination
  278. net2fw all -- anywhere anywhere
  279. ACCEPT all -- anywhere anywhere
  280. Reject all -- anywhere anywhere
  281. LOG all -- anywhere anywhere LOG level info prefix "Shorewall:INPUT:REJECT:"
  282. reject all -- anywhere anywhere [goto]
  283.  
  284. Chain FORWARD (policy DROP)
  285. target prot opt source destination
  286. Reject all -- anywhere anywhere
  287. LOG all -- anywhere anywhere LOG level info prefix "Shorewall:FORWARD:REJECT:"
  288. reject all -- anywhere anywhere [goto]
  289.  
  290. Chain OUTPUT (policy DROP)
  291. target prot opt source destination
  292. fw2net all -- anywhere anywhere
  293. ACCEPT all -- anywhere anywhere
  294. Reject all -- anywhere anywhere
  295. LOG all -- anywhere anywhere LOG level info prefix "Shorewall:OUTPUT:REJECT:"
  296. reject all -- anywhere anywhere [goto]
  297.  
  298. Chain Broadcast (2 references)
  299. target prot opt source destination
  300. DROP all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
  301. DROP all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
  302. DROP all -- anywhere anywhere ADDRTYPE match dst-type ANYCAST
  303. DROP all -- anywhere base-address.mcast.net/4
  304.  
  305. Chain Drop (1 references)
  306. target prot opt source destination
  307. all -- anywhere anywhere
  308. reject tcp -- anywhere anywhere tcp dpt:ident /* Auth */
  309. Broadcast all -- anywhere anywhere
  310. ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
  311. ACCEPT icmp -- anywhere anywhere icmp time-exceeded /* Needed ICMP types */
  312. Invalid all -- anywhere anywhere
  313. DROP udp -- anywhere anywhere multiport dports epmap,microsoft-ds /* SMB */
  314. DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
  315. DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
  316. DROP tcp -- anywhere anywhere multiport dports epmap,netbios-ssn,microsoft-ds /* SMB */
  317. DROP udp -- anywhere anywhere udp dpt:ssdp /* UPnP */
  318. NotSyn tcp -- anywhere anywhere
  319. DROP udp -- anywhere anywhere udp spt:domain /* Late DNS Replies */
  320.  
  321. Chain Invalid (2 references)
  322. target prot opt source destination
  323. DROP all -- anywhere anywhere ctstate INVALID
  324.  
  325. Chain NotSyn (2 references)
  326. target prot opt source destination
  327. DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
  328.  
  329. Chain Reject (3 references)
  330. target prot opt source destination
  331. all -- anywhere anywhere
  332. reject tcp -- anywhere anywhere tcp dpt:ident /* Auth */
  333. Broadcast all -- anywhere anywhere
  334. ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
  335. ACCEPT icmp -- anywhere anywhere icmp time-exceeded /* Needed ICMP types */
  336. Invalid all -- anywhere anywhere
  337. reject udp -- anywhere anywhere multiport dports epmap,microsoft-ds /* SMB */
  338. reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
  339. reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
  340. reject tcp -- anywhere anywhere multiport dports epmap,netbios-ssn,microsoft-ds /* SMB */
  341. DROP udp -- anywhere anywhere udp dpt:ssdp /* UPnP */
  342. NotSyn tcp -- anywhere anywhere
  343. DROP udp -- anywhere anywhere udp spt:domain /* Late DNS Replies */
  344.  
  345. Chain dynamic (1 references)
  346. target prot opt source destination
  347.  
  348. Chain fw2net (1 references)
  349. target prot opt source destination
  350. ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
  351. ACCEPT all -- anywhere anywhere
  352.  
  353. Chain logdrop (0 references)
  354. target prot opt source destination
  355. DROP all -- anywhere anywhere
  356.  
  357. Chain logreject (0 references)
  358. target prot opt source destination
  359. reject all -- anywhere anywhere
  360.  
  361. Chain net2fw (1 references)
  362. target prot opt source destination
  363. dynamic all -- anywhere anywhere ctstate INVALID,NEW,UNTRACKED
  364. ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
  365. ACCEPT tcp -- anywhere anywhere tcp dpt:50505
  366. DROP tcp -- anywhere anywhere tcp dpt:ident
  367. Drop all -- anywhere anywhere
  368. LOG all -- anywhere anywhere LOG level info prefix "Shorewall:net2fw:DROP:"
  369. DROP all -- anywhere anywhere
  370.  
  371. Chain reject (10 references)
  372. target prot opt source destination
  373. DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST
  374. DROP all -- base-address.mcast.net/4 anywhere
  375. DROP igmp -- anywhere anywhere
  376. REJECT tcp -- anywhere anywhere reject-with tcp-reset
  377. REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
  378. REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
  379. REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
  380.  
  381. Chain sfilter (0 references)
  382. target prot opt source destination
  383. LOG all -- anywhere anywhere LOG level info prefix "Shorewall:sfilter:DROP:"
  384. DROP all -- anywhere anywhere
  385.  
  386. Chain shorewall (0 references)
  387. target prot opt source destination
  388. [root@wishmacer andrzejl]#
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!