File: action.Drop

package info (click to toggle)
shorewall6 4.6.4.3-1
  • links: PTS, VCS
  • area: main
  • in suites: jessie, jessie-kfreebsd
  • size: 2,504 kB
  • ctags: 53
  • sloc: sh: 1,768; perl: 126; makefile: 57
file content (92 lines) | stat: -rw-r--r-- 2,681 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
 
#
# Shorewall6 version 4 - Drop Action
#
# /usr/share/shorewall6/action.Drop
#
#	The default DROP common rules
#
#	This action is invoked before a DROP policy is enforced. The purpose
#	of the action is:
#
#	a) Avoid logging lots of useless cruft.
#	b) Ensure that 'auth' requests are rejected, even if the policy is
#	   DROP. Otherwise, you may experience problems establishing
#	   connections with servers that use auth.
#	c) Ensure that certain ICMP packets that are necessary for successful
#	   internet operation are always ACCEPTed.
#
#  The action accepts five optional parameters:
#
#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
#           actions.
#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
#           depending on the setting of the first parameter.
#	3 - Action to take with SMB requests. Default is DROP or A_DROP,
#           depending on the setting of the first parameter.
#       4 - Action to take with required ICMP packets. Default is ACCEPT or
#           A_ACCEPT depending on the first parameter.
#       5 - Action to take with late UDP replies (UDP source port 53). Default
#           is DROP or A_DROP depending on the first parameter.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
#
###############################################################################
?format 2
#
# The following magic provides different defaults for $2 thru $5, when $1 is
# 'audit'.
#
?begin perl;
use Shorewall::Config;

my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );

if ( defined $p1 ) {
    if ( $p1 eq 'audit' ) {
	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
	set_action_param( 3, 'A_DROP')     unless supplied $p3;
	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
    } else {
	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
    }
}

1;

?end perl;

DEFAULTS -,REJECT,DROP,ACCEPT,DROP

#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
#
# Reject 'auth'
#
Auth($2)
#
# ACCEPT critical ICMP types
#
AllowICMPs($4)	-	-	ipv6-icmp
#
# Drop Broadcasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
Broadcast(DROP,$1)
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log.
#
Invalid(DROP,$1)
#
# Drop Microsoft noise so that it doesn't clutter up the log.
#
SMB($3)
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
NotSyn(DROP,$1)	-	-	tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DropDNSrep($5)