File: action.Reject

package info (click to toggle)
shorewall 5.0.15.6-1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 4,716 kB
  • ctags: 961
  • sloc: perl: 26,144; sh: 2,043; makefile: 50
file content (83 lines) | stat: -rw-r--r-- 2,333 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
 
#
# Shorewall -- /usr/share/shorewall/action.Reject
#
# The default REJECT action common rules
#
# This action is invoked before a REJECT policy is enforced. The purpose
# of the action is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that certain ICMP packets that are necessary for successful
#    internet operation are always ACCEPTed.
#
# The action accepts six optional parameters:
#
# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
#     actions.
# 2 - Action to take with Auth requests. Default is to do nothing
#     special with them.
# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
#     depending on the setting of the first parameter.
# 4 - Action to take with required ICMP packets. Default is ACCEPT or
#     A_ACCEPT depending on the first parameter.
# 5 - Action to take with late UDP replies (UDP source port 53). Default
#     is DROP or A_DROP depending on the first parameter.
# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
#     depending on the first parameter.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
###############################################################################

?if passed(@1)
    ?if @1 eq 'audit'
DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
    ?else
	?error The first parameter to Reject must be 'audit' or '-'
    ?endif
?else
DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
?endif

#ACTION		SOURCE	DEST	PROTO
#
# Count packets that come through here
#
COUNT
#
# Special handling for Auth
#
?if passed(@2)
Auth(@2)
?endif
#
# ACCEPT critical ICMP types
#
# For IPv6 connectivity ipv6-icmp broadcasting is required so
# AllowICMPs must be before silent broadcast Drop.
#
AllowICMPs(@4)	-	-	icmp
#
# Drop Broadcasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
Broadcast(DROP,@1)
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log (these ICMPs cannot be
# rejected).
#
Invalid(DROP,@1)
#
# Reject Microsoft noise so that it doesn't clutter up the log.
#
SMB(@3)
DropUPnP(@6)
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
NotSyn(DROP,@1)	-	-	tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DropDNSrep(@5)