shorewall_code/Shorewall6/action.Drop

#
# Shorewall6 version 4 - Drop Action
#
# /usr/share/shorewall6/action.Drop
#
#	The default DROP common rules
#
#	This action is invoked before a DROP policy is enforced. The purpose
#	of the action is:
#
#	a) Avoid logging lots of useless cruft.
#	b) Ensure that 'auth' requests are rejected, even if the policy is
#	   DROP. Otherwise, you may experience problems establishing
#	   connections with servers that use auth.
#	c) Ensure that certain ICMP packets that are necessary for successful
#	   internet operation are always ACCEPTed.
#
#  The action accepts five optional parameters:
#
#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
#           actions.
#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
#           depending on the setting of the first parameter.
#	3 - Action to take with SMB requests. Default is DROP or A_DROP,
#           depending on the setting of the first parameter.
#       4 - Action to take with required ICMP packets. Default is ACCEPT or
#           A_ACCEPT depending on the first parameter.
#       5 - Action to take with late UDP replies (UDP source port 53). Default
#           is DROP or A_DROP depending on the first parameter.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
#
###############################################################################
FORMAT 2
#
# The following magic provides different defaults for $2 thru $5, when $1 is 
# 'audit'.
#
BEGIN PERL;
use Shorewall::Config;

my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );

if ( defined $p1 ) { 
    if ( $p1 eq 'audit' ) {
	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
	set_action_param( 3, 'A_DROP')     unless supplied $p3;
	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
    } else {
	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
    }
}

1;

END PERL;

DEFAULTS -,REJECT,DROP,ACCEPT,DROP

#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
#
# Reject 'auth'
#
Auth($2)
#
# ACCEPT critical ICMP types
#
AllowICMPs($4)	-	-	ipv6-icmp
#
# Drop Broadcasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
Broadcast(DROP,$1)
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log.
#
Invalid(DROP,$1)
#
# Drop Microsoft noise so that it doesn't clutter up the log.
#
SMB($3)
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
NotSyn(DROP,$1)	-	-	tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DropDNSrep($5)
Create Shorewall6 and Shorewall6-lite git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8957 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2008-12-09 17:50:17 +01:00			`#`
Macro conversion git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9025 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2008-12-13 19:22:42 +01:00			`# Shorewall6 version 4 - Drop Action`
Create Shorewall6 and Shorewall6-lite git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8957 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2008-12-09 17:50:17 +01:00			`#`
Macro conversion git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9025 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2008-12-13 19:22:42 +01:00			`# /usr/share/shorewall6/action.Drop`
Create Shorewall6 and Shorewall6-lite git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8957 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2008-12-09 17:50:17 +01:00			`#`
			`# The default DROP common rules`
			`#`
			`# This action is invoked before a DROP policy is enforced. The purpose`
			`# of the action is:`
			`#`
			`# a) Avoid logging lots of useless cruft.`
			`# b) Ensure that 'auth' requests are rejected, even if the policy is`
			`# DROP. Otherwise, you may experience problems establishing`
			`# connections with servers that use auth.`
			`# c) Ensure that certain ICMP packets that are necessary for successful`
			`# internet operation are always ACCEPTed.`
			`#`
Implement parameterized default actions for IPv6 Signed-off-by: Tom Eastep <teastep@shorewall.net> 2011-07-04 16:13:32 +02:00			`# The action accepts five optional parameters:`
			`#`
			`# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin`
			`# actions.`
			`# 2 - Action to take with Auth requests. Default is REJECT or A_REJECT,`
			`# depending on the setting of the first parameter.`
			`# 3 - Action to take with SMB requests. Default is DROP or A_DROP,`
			`# depending on the setting of the first parameter.`
			`# 4 - Action to take with required ICMP packets. Default is ACCEPT or`
			`# A_ACCEPT depending on the first parameter.`
			`# 5 - Action to take with late UDP replies (UDP source port 53). Default`
			`# is DROP or A_DROP depending on the first parameter.`
			`#`
Create Shorewall6 and Shorewall6-lite git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8957 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2008-12-09 17:50:17 +01:00			`# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!`
			`#`
			`###############################################################################`
Implement parameterized default actions for IPv6 Signed-off-by: Tom Eastep <teastep@shorewall.net> 2011-07-04 16:13:32 +02:00			`FORMAT 2`
			`#`
			`# The following magic provides different defaults for $2 thru $5, when $1 is`
			`# 'audit'.`
			`#`
Add semicolons in new actions. Signed-off-by: Tom Eastep <teastep@shorewall.net> 2011-07-04 23:27:21 +02:00			`BEGIN PERL;`
Implement parameterized default actions for IPv6 Signed-off-by: Tom Eastep <teastep@shorewall.net> 2011-07-04 16:13:32 +02:00			`use Shorewall::Config;`

			`my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );`

			`if ( defined $p1 ) {`
			`if ( $p1 eq 'audit' ) {`
			`set_action_param( 2, 'A_REJECT') unless supplied $p2;`
			`set_action_param( 3, 'A_DROP') unless supplied $p3;`
			`set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;`
			`set_action_param( 5, 'A_DROP' ) unless supplied $p5;`
			`} else {`
			`fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;`
			`}`
			`}`

			`1;`

Add semicolons in new actions. Signed-off-by: Tom Eastep <teastep@shorewall.net> 2011-07-04 23:27:21 +02:00			`END PERL;`
Implement parameterized default actions for IPv6 Signed-off-by: Tom Eastep <teastep@shorewall.net> 2011-07-04 16:13:32 +02:00
			`DEFAULTS -,REJECT,DROP,ACCEPT,DROP`

Create Shorewall6 and Shorewall6-lite git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8957 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2008-12-09 17:50:17 +01:00			`#TARGET SOURCE DEST PROTO DPORT SPORT`
			`#`
			`# Reject 'auth'`
			`#`
Implement parameterized default actions for IPv6 Signed-off-by: Tom Eastep <teastep@shorewall.net> 2011-07-04 16:13:32 +02:00			`Auth($2)`
Create Shorewall6 and Shorewall6-lite git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8957 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2008-12-09 17:50:17 +01:00			`#`
Reverse order of ICMPv6 and Multicast/anycast filtering 2010-07-13 22:03:55 +02:00			`# ACCEPT critical ICMP types`
			`#`
Implement parameterized default actions for IPv6 Signed-off-by: Tom Eastep <teastep@shorewall.net> 2011-07-04 16:13:32 +02:00			`AllowICMPs($4) - - ipv6-icmp`
Reverse order of ICMPv6 and Multicast/anycast filtering 2010-07-13 22:03:55 +02:00			`#`
Drop multicast and anycast in Drop and Reject actions 2010-07-13 01:44:34 +02:00			`# Drop Broadcasts so they don't clutter up the log`
			`# (broadcasts must not be rejected).`
			`#`
Update IPv6 standard default actions to use new parameterized actions Signed-off-by: Tom Eastep <teastep@shorewall.net> 2011-07-04 17:01:18 +02:00			`Broadcast(DROP,$1)`
Drop multicast and anycast in Drop and Reject actions 2010-07-13 01:44:34 +02:00			`#`
Create Shorewall6 and Shorewall6-lite git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8957 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2008-12-09 17:50:17 +01:00			`# Drop packets that are in the INVALID state -- these are usually ICMP packets`
			`# and just confuse people when they appear in the log.`
			`#`
Update IPv6 standard default actions to use new parameterized actions Signed-off-by: Tom Eastep <teastep@shorewall.net> 2011-07-04 17:01:18 +02:00			`Invalid(DROP,$1)`
Create Shorewall6 and Shorewall6-lite git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8957 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2008-12-09 17:50:17 +01:00			`#`
			`# Drop Microsoft noise so that it doesn't clutter up the log.`
			`#`
Implement parameterized default actions for IPv6 Signed-off-by: Tom Eastep <teastep@shorewall.net> 2011-07-04 16:13:32 +02:00			`SMB($3)`
Create Shorewall6 and Shorewall6-lite git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8957 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2008-12-09 17:50:17 +01:00			`#`
			`# Drop 'newnotsyn' traffic so that it doesn't get logged.`
			`#`
Update IPv6 standard default actions to use new parameterized actions Signed-off-by: Tom Eastep <teastep@shorewall.net> 2011-07-04 17:01:18 +02:00			`NotSyn(DROP,$1) - - tcp`
Create Shorewall6 and Shorewall6-lite git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8957 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2008-12-09 17:50:17 +01:00			`#`
			`# Drop late-arriving DNS replies. These are just a nuisance and clutter up`
			`# the log.`
			`#`
Implement parameterized default actions for IPv6 Signed-off-by: Tom Eastep <teastep@shorewall.net> 2011-07-04 16:13:32 +02:00			`DropDNSrep($5)`