shorewall_code/Shorewall/actions.std

62 lines
2.6 KiB
Plaintext
Raw Normal View History

#
# Shorewall version 5 - Actions.std File
#
# /usr/share/shorewall/actions.std
#
# Please see http://shorewall.org/Actions.html for additional
# information.
#
###############################################################################
#ACTION
A_REJECT noinline,logjump # Audits then rejects a connection request
A_REJECT! inline # Audits then rejects a connection request
AllowICMPs inline # Allow Required ICMP packets
allowBcast inline # Silently Allow Broadcast
allowinUPnP inline # Allow UPnP inbound (to firewall) traffic
allowInvalid inline # Accepts packets in the INVALID conntrack state
allowMcast inline # Silently Allow Multicast
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
AutoBLL noinline # Helper for AutoBL
BLACKLIST logjump,section # Add sender to the dynamic blacklist
?if __ADDRTYPE
Broadcast inline,audit # Handles Broadcast/Anycast
?else
Broadcast noinline,audit # Handles Broadcast/Anycast
?endif
DNSAmp proto=17 # Matches one-question recursive DNS queries
dropBcast inline # Silently Drop Broadcast
dropBcasts inline # Silently Drop Broadcast
dropInvalid inline # Drops packets in the INVALID conntrack state
dropMcast inline # Silently Drop Multicast
dropNotSyn noinline,proto=6 # Silently Drop Non-syn TCP packets
DropDNSrep inline,proto=17 # Drops DNS replies
DropSmurfs noinline # Drop smurf packets
Established inline,\ # Handles packets in the ESTABLISHED state
state=ESTABLISHED #
FIN inline,audit,\ # Handles ACK,FIN packets
proto=6
forwardUPnP noinline # Allow traffic that upnpd has redirected from 'upnp' interfaces.
GlusterFS inline # Handles GlusterFS
IfEvent noinline # Perform an action based on an event
Invalid inline,audit,\ # Handles packets in the INVALID conntrack state
state=INVALID #
Limit noinline # Limit the rate of connections from each individual IP address
?if __ADDRTYPE
Multicast inline,audit # Handles Multicast
?else
Multicast noinline,audit # Handles Multicast
?endif
New inline,state=NEW # Handles packets in the NEW conntrack state
NotSyn inline,audit,\ # Handles TCP packets which do not have SYN=1 and ACK=0
proto=6
rejNotSyn noinline,proto=6 # Silently Reject Non-syn TCP packets
Related inline,\ # Handles packets in the RELATED conntrack state
state=RELATED #
ResetEvent inline # Reset an Event
RST inline,audit,\ # Handle packets with RST set
proto=6
SetEvent inline # Initialize an event
TCPFlags proto=6 # Handle bad flag combinations.
Untracked inline,\ # Handles packets in the UNTRACKED conntrack state
state=UNTRACKED #