‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On April 16, 2018 10:56 AM, Tom Eastep <teas...@shorewall.net> wrote:
>
>
> On 04/16/2018 10:50 AM, colony.three--- via Shorewall-users wrote:
>
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> >
> > On April 16, 2018 10:42 AM, Tom Eastep teas...@shorewall.net wrote:
> >
> > > On 04/16/2018 10:24 AM, colony.three--- via Shorewall-users wrote:
> > >
> > > > Anyone seen this?
> > > >
> > > > Nov 29 01:42:29 Compiling MAC Filtration -- Phase 2...
> > > >
> > > > Nov 29 01:42:29 Applying Policies...
> > > >
> > > > Nov 29 01:42:29 Compiling /usr/share/shorewall/action.Broadcast for
> > > >
> > > > chain Broadcast...
> > > >
> > > > Nov 29 01:42:29 ERROR: Invalid parameter (DROP),Multicast(DROP)
> > > >
> > > > /usr/share/shorewall/action.Broadcast (line 1)
> > > >
> > > > from (line EOF)
> > > >
> > > > shorewall version
> > > > =================
> > > >
> > > > 5.0.15.6
> > >
> > > Don't see why you would be getting that message on 5.0.15.6. What does
> > >
> > > your /usr/share/shorewall/action.Broadcast look like?
>
> What is your setting of DROP_DEFAULT in shorewall.conf?
>
> -Tom
>
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
I didn't change it, but commenting it out does not help. Same with the other
settings which specify (DROP),Multicast(DROP).
I do have a restrictive sysctl, if that makes any difference. It's working
fine on all my other (CentOS7.4) machines. (attached)
#--------------------------------------------------
# Security
########## Kernel config START ##############
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Kernel EXEC shield - for RedHat, CentOS, ...
#kernel.exec-shield = 1
# Make the addresses of mmap base, stack, heap and VDSO page randomized
kernel.randomize_va_space = 2
# Reboot system when kernel panic occur, oops will wait 30 seconds until call
panic()
kernel.panic = 30
kernel.panic_on_oops = 30
# Disable magic-sysrq key
kernel.sysrq = 0
# No core dumps for SUID
fs.suid_dumpable = 0
# Set maximum amount of memory allocated to shm to 256MB
kernel.shmmax = 268435456
# Hide exposed kernel pointers regardless of privileges (2.6.38)
kernel.kptr_restrict = 2
# NULL pointer dereference, lowest virtual address which process can use for
mapping
vm.mmap_min_addr = 4096
# Maximum number of file handles that the Linux kernel will allocate
fs.file-max = 65000
# Allow more PIDs
kernel.pid_max = 65536
########## Kernel config END ##############
########## IPv4 networking START ##############
# Increase the maximum amount of option memory buffers
net.core.optmem_max = 57344
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Disable Proxy ARP
net.ipv4.proxy_arp = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Enable tcp_window_scaling
net.ipv4.tcp_window_scaling = 1
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Prevent SYN attack
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_synack_retries = 2
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Log packets with impossible addresses to kernel
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
# Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.forwarding=0
net.ipv4.conf.all.mc_forwarding=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
# Buffer size autotuning - buffer size (and tcp window size) is dynamically
updated for each connection.
# This option is not present in kernels older then 2.4.27 or 2.6.7 - update
your kernel
# In that case tuning options net.ipv4.tcp_wmem and net.ipv4.tcp_rmem isnt
recommended
net.ipv4.tcp_moderate_rcvbuf = 1
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Increase allowed local port range
net.ipv4.ip_local_port_range = 1024 64000
# Increase the maximum memory used to reassemble IP fragments
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464
########## IPv4 networking END ##############
########## IPv6 networking START ##############
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# Controls IP packet forwarding
net.ipv6.ip_forward = 0
# This is not a router (RADVD) so accept ads
#net.ipv6.conf.all.accept_ra=1
# Number of Router Solicitations to send until assuming no routers are present.
# This is host and not router
#net.ipv6.conf.default.router_solicitations = 0
# Accept Router Preference in RA?
#net.ipv6.conf.default.accept_ra_rtr_pref = 1
# Learn Prefix Information in Router Advertisement
#net.ipv6.conf.default.accept_ra_pinfo = 1
# Setting controls whether the system will accept Hop Limit settings from a
router advertisement
#net.ipv6.conf.default.accept_ra_defrtr = 1
# Router advertisements can cause the system to assign a global unicast address
to an interface
#net.ipv6.conf.default.autoconf = 0
# How many neighbor solicitations to send out per address?
#net.ipv6.conf.default.dad_transmits = 0
# How many global unicast IPv6 addresses can be assigned to each interface?
net.ipv6.conf.default.max_addresses = 1
########## IPv6 networking END ##############
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
