diff --git a/Shorewall6/action.AllowICMPs b/Shorewall6/action.AllowICMPs
index 0f6827400..05ccf722a 100644
--- a/Shorewall6/action.AllowICMPs
+++ b/Shorewall6/action.AllowICMPs
@@ -8,33 +8,37 @@
 ###############################################################################
 #TARGET	SOURCE		DEST	PROTO		DEST
 #						PORT(S)	
+
+FORMAT 2
+DEFAULTS ACCEPT
+
 COMMENT Needed ICMP types (RFC4890)
 
-ACCEPT	-		-	ipv6-icmp	destination-unreachable
-ACCEPT	-		-	ipv6-icmp	packet-too-big
-ACCEPT	-		-	ipv6-icmp	time-exceeded
-ACCEPT	-	-		ipv6-icmp	parameter-problem
+$1	-		-	ipv6-icmp	destination-unreachable
+$1	-		-	ipv6-icmp	packet-too-big
+$1	-		-	ipv6-icmp	time-exceeded
+$1	-		-	ipv6-icmp	parameter-problem
 
 # The following should have a ttl of 255 and must be allowed to transit a bridge
-ACCEPT	-		-	ipv6-icmp	router-solicitation
-ACCEPT	-		-	ipv6-icmp	router-advertisement
-ACCEPT	-		-	ipv6-icmp	neighbour-solicitation
-ACCEPT	-		-	ipv6-icmp	neighbour-advertisement
-ACCEPT	-		-	ipv6-icmp	137	# Redirect
-ACCEPT	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
-ACCEPT	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
+$1	-		-	ipv6-icmp	router-solicitation
+$1	-		-	ipv6-icmp	router-advertisement
+$1	-		-	ipv6-icmp	neighbour-solicitation
+$1	-		-	ipv6-icmp	neighbour-advertisement
+$1	-		-	ipv6-icmp	137	# Redirect
+$1	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
+$1	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
 
 # The following should have a link local source address and must be allowed to transit a bridge
-ACCEPT	fe80::/10	-	ipv6-icmp	130	# Listener query
-ACCEPT	fe80::/10	-	ipv6-icmp	131	# Listener report
-ACCEPT	fe80::/10	-	ipv6-icmp	132	# Listener done
-ACCEPT	fe80::/10	-	ipv6-icmp	143	# Listener report v2
+$1	fe80::/10	-	ipv6-icmp	130	# Listener query
+$1	fe80::/10	-	ipv6-icmp	131	# Listener report
+$1	fe80::/10	-	ipv6-icmp	132	# Listener done
+$1	fe80::/10	-	ipv6-icmp	143	# Listener report v2
 
 # The following should be received with a ttl of 255 and must be allowed to transit a bridge
-ACCEPT	-		-	ipv6-icmp	148	# Certificate path solicitation
-ACCEPT	-		-	ipv6-icmp	149	# Certificate path advertisement
+$1	-		-	ipv6-icmp	148	# Certificate path solicitation
+$1	-		-	ipv6-icmp	149	# Certificate path advertisement
 
 # The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
-ACCEPT	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
-ACCEPT	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
-ACCEPT	fe80::/10	-	ipv6-icmp	153	# Multicast router termination
+$1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
+$1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
+$1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination
diff --git a/Shorewall6/action.Drop b/Shorewall6/action.Drop
index a4869e760..dd2e1311e 100644
--- a/Shorewall6/action.Drop
+++ b/Shorewall6/action.Drop
@@ -15,32 +15,72 @@
 #	c) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
+#  The action accepts five optional parameters:
+#
+#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#           actions.
+#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#	3 - Action to take with SMB requests. Default is DROP or A_DROP,
+#           depending on the setting of the first parameter.
+#       4 - Action to take with required ICMP packets. Default is ACCEPT or
+#           A_ACCEPT depending on the first parameter.
+#       5 - Action to take with late UDP replies (UDP source port 53). Default
+#           is DROP or A_DROP depending on the first parameter.
+#
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
+FORMAT 2
+#
+# The following magic provides different defaults for $2 thru $5, when $1 is 
+# 'audit'.
+#
+BEGIN PERL
+use Shorewall::Config;
+
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
+
+if ( defined $p1 ) { 
+    if ( $p1 eq 'audit' ) {
+	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
+	set_action_param( 3, 'A_DROP')     unless supplied $p3;
+	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
+	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
+    } else {
+	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
+    }
+}
+
+1;
+
+END PERL
+
+DEFAULTS -,REJECT,DROP,ACCEPT,DROP
+
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Reject 'auth'
 #
-Auth(REJECT)
+Auth($2)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs	-	-	ipv6-icmp
+AllowICMPs($4)	-	-	ipv6-icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
-dropBcast
+dropBcast($1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
-dropInvalid
+dropInvalid($1)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB(DROP)
+SMB($3)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
@@ -49,4 +89,4 @@ dropNotSyn	-	-	tcp
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep
+DropDNSrep($5)
diff --git a/Shorewall6/action.Reject b/Shorewall6/action.Reject
index 0eb440ceb..7dec2acbf 100644
--- a/Shorewall6/action.Reject
+++ b/Shorewall6/action.Reject
@@ -12,39 +12,79 @@
 #	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
+#  The action accepts five optional parameters:
+#
+#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#           actions.
+#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#	3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#       4 - Action to take with required ICMP packets. Default is ACCEPT or
+#           A_ACCEPT depending on the first parameter.
+#       5 - Action to take with late UDP replies (UDP source port 53). Default
+#           is DROP or A_DROP depending on the first parameter.
+#
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
+FORMAT 2
+#
+# The following magic provides different defaults for $2 thru $5, when $1 is 
+# 'audit'.
+#
+BEGIN PERL
+use Shorewall::Config;
+
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
+
+if ( defined $p1 ) { 
+    if ( $p1 eq 'audit' ) {
+	set_action_param( 2, 'A_REJECT')  unless supplied $p2;
+	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
+	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
+	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
+    } else {
+	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
+    }
+}
+
+1;
+
+END PERL
+
+DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
+
 #TARGET		SOURCE	DEST	PROTO
 #
 # Don't log 'auth' -- REJECT
 #
-Auth(REJECT)
+Auth($2)
 #
 # Drop Multicasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
-AllowICMPs	-	-	ipv6-icmp
+AllowICMPs($4)	-	-	ipv6-icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
-dropBcast
+dropBcast($1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
-dropInvalid
+dropInvalid($1)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
-SMB(REJECT)
+SMB($3)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-dropNotSyn	-	-	tcp
+dropNotSyn($1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep
+DropDNSrep($5)