shorewall_code/Shorewall/action.Drop

95 lines
2.6 KiB
Plaintext
Raw Normal View History

#
# Shorewall version 4 - Drop Action
#
# /usr/share/shorewall/action.Drop
#
# The default DROP common rules
#
# This action is invoked before a DROP policy is enforced. The purpose
# of the action is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that 'auth' requests are rejected, even if the policy is
# DROP. Otherwise, you may experience problems establishing
# connections with servers that use auth.
# c) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed.
#
# The action accepts five optional parameters:
#
# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
# actions.
# 2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
# depending on the setting of the first parameter.
# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
# depending on the setting of the first parameter.
# 4 - Action to take with required ICMP packets. Default is ACCEPT or
# A_ACCEPT depending on the first parameter.
# 5 - Action to take with late UDP replies (UDP source port 53). Default
# is DROP or A_DROP depending on the first parameter.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
#
###############################################################################
FORMAT 2
#
# The following magic provides different defaults for $2 thru $5, when $1 is
# 'audit'.
#
BEGIN PERL
use Shorewall::Config;
my ( $p1, $p2, $p3 , $p4, $p5, $p6 ) = get_action_params( 6 );
fatal_error "Too many parameters to Drop" if defined $p6;
if ( defined $p1 && $p1 eq 'audit' ) {
set_action_param( 2, 'A_REJECT') unless defined( $p2 ) && $p2 ne '-';
set_action_param( 3, 'A_DROP') unless defined( $p3 ) && $p3 ne '-';
set_action_param( 4, 'A_ACCEPT' ) unless defined( $p4 ) && $p4 ne '-';
set_action_param( 5, 'A_DROP' ) unless defined( $p5 ) && $p5 ne '-';
};
1;
END PERL
DEFAULTS -,REJECT,DROP,ACCEPT,DROP
#TARGET SOURCE DEST PROTO DPORT SPORT
#
# Count packets that come through here
#
COUNT
#
# Reject 'auth'
#
Auth($2)
#
# Don't log broadcasts
#
dropBcast($1)
#
# ACCEPT critical ICMP types
#
AllowICMPs($4) - - icmp
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log.
#
dropInvalid($1)
#
# Drop Microsoft noise so that it doesn't clutter up the log.
#
SMB($3)
DropUPnP($5)
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn($1) - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DropDNSrep($5)