Create Audited versions of the IPv4 standard default actions

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Macros/macro.AAllowICMPs

@@ -0,0 +1,15 @@
+#
+# Shorewall version 4 - Audited AllowICMPs Macro
+#
+# /usr/share/shorewall/macro.AAllowICMPs
+#
+#	This macro A_ACCEPTs needed ICMP types
+#
+###############################################################################
+#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#					PORT(S)	PORT(S)	LIMIT	GROUP
+
+COMMENT Needed ICMP types
+
+A_ACCEPT       -	-	icmp	fragmentation-needed
+A_ACCEPT       -	-	icmp	time-exceeded

Shorewall/Macros/macro.ADropDNSrep

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Audited DropDNSrep Macro
+#
+# /usr/share/shorewall/macro.ADropDNSrep
+#
+#	This macro silently audites and drops DNS UDP replies
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+
+COMMENT Late DNS Replies
+
+A_DROP	-	-	udp	-	53

Shorewall/Macros/macro.ADropUPnP

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - ADropUPnP Macro
+#
+# /usr/share/shorewall/macro.ADropUPnP
+#
+#	This macro silently drops UPnP probes on UDP port 1900
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+
+COMMENT UPnP
+
+A_DROP	-	-	udp	1900

Shorewall/action.ADrop

@@ -0,0 +1,56 @@
+#
+# Shorewall version 4 - Drop Action
+#
+# /usr/share/shorewall/action.Drop
+#
+#	The default DROP common rules
+#
+#	This action is invoked before a DROP policy is enforced. The purpose
+#	of the action is:
+#
+#	a) Avoid logging lots of useless cruft.
+#	b) Ensure that 'auth' requests are rejected, even if the policy is
+#	   DROP. Otherwise, you may experience problems establishing
+#	   connections with servers that use auth.
+#	c) Ensure that certain ICMP packets that are necessary for successful
+#	   internet operation are always ACCEPTed.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+#
+###############################################################################
+#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#
+# Count packets that come through here
+#
+COUNT
+#
+# Reject 'auth'
+#
+Auth(A_REJECT)
+#
+# Don't log broadcasts
+#
+dropBcast(audit)
+#
+# ACCEPT critical ICMP types
+#
+AllowICMPs	-	-	icmp
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log.
+#
+dropInvalid(audit)
+#
+# Drop Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(A_DROP)
+ADropUPnP
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn(audit)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+DropDNSrep

Shorewall/action.AReject

@@ -0,0 +1,54 @@
+#
+# Shorewall version 4 - Reject Action
+#
+# /usr/share/shorewall/action.Reject
+#
+#	The default REJECT action common rules
+#
+#	This action is invoked before a REJECT policy is enforced. The purpose
+#	of the action is:
+#
+#	a) Avoid logging lots of useless cruft.
+#	b) Ensure that certain ICMP packets that are necessary for successful
+#	   internet operation are always ACCEPTed.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+###############################################################################
+#TARGET		SOURCE	DEST	PROTO
+#
+# Count packets that come through here
+#
+COUNT
+#
+# Don't log 'auth' -- REJECT
+#
+Auth(A_REJECT)
+#
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+dropBcast(audit)
+#
+# ACCEPT critical ICMP types
+#
+AAllowICMPs	-	-	icmp
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+dropInvalid(audit)
+#
+# Reject Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(A_REJECT)
+ADropUPnP
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn(audit)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+ADropDNSrep

Shorewall/actions.std

@@ -33,5 +33,7 @@
 #
 ###############################################################################
 #ACTION
+ADrop		    # Audited Default Action for DROP policy
+AReject		    # Audited Default action for REJECT policy
 Drop		    # Default Action for DROP policy
 Reject		    # Default Action for REJECT policy