Add default action example

docs/Audit.xml

@@ -148,8 +148,8 @@ net	fw      DROP:audit</programlisting>
       </listitem>
 
       <listitem>
-        <para> Three new builtin targets that may be used in the rules file,
+        <para>Three new builtin targets that may be used in the rules file, in
-        in macros and in other actions.</para>
+        macros and in other actions.</para>
 
         <itemizedlist>
           <listitem>
@@ -230,6 +230,49 @@ A_ACCEPT:info  loc          net        ...</programlisting>
           <command>shorewall show actions</command> whose names begin with a
           lower-case letter.</para>
         </note>
+
+        <para>Here's a version of action.Drop that does auditing:</para>
+
+        <programlisting>#TARGET         SOURCE  DEST    PROTO   DPORT   SPORT
+#
+# Count packets that come through here
+#
+COUNT
+#
+# Reject 'auth'
+#
+A_REJECT        -       -       tcp     
+#
+# Don't log broadcasts
+#
+dropBcast(audit)
+#
+# ACCEPT critical ICMP types
+#
+AudAllowICMPs      -       -       icmp
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log.
+#
+dropInvalid(audit)
+#
+# Drop Microsoft noise so that it doesn't clutter up the log.
+#
+AudSMB(DROP)
+AudDropUPnP
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn(audit)  -       -       tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+A_DROP          -       -       udp      -     53</programlisting>
+
+        <para>The 'Aud...' macros would be auditing versions of their standard
+        macro counterparts (if you are interested in auditing those connection
+        types).</para>
       </listitem>
     </orderedlist>
   </section>