# # Shorewall -- /usr/share/shorewall/action.A_Reject # # The audited default REJECT action common rules # # This action is invoked before a REJECT policy is enforced. The purpose # of the action is: # # a) Avoid logging lots of useless cruft. # b) Ensure that certain ICMP packets that are necessary for successful # internet operation are always ACCEPTed. # # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! ?require AUDIT_TARGET ?warning "You are using the deprecated A_REJECT default action. Please see http://www.shorewall.net/Actions.html ############################################################################### #ACTION SOURCE DEST PROTO # # Count packets that come through here # COUNT # # ACCEPT critical ICMP types # # For IPv6 connectivity ipv6-icmp broadcasting is required so # AllowICMPs must be before broadcast Drop. # A_AllowICMPs - - icmp # # Drop Broadcasts and multicasts so they don't clutter up the log # (these must *not* be rejected). # dropBcast(audit) dropMcast(audit) # # Drop packets that are in the INVALID state -- these are usually ICMP packets # and just confuse people when they appear in the log (these ICMPs cannot be # rejected). # dropInvalid(audit) # # Reject Microsoft noise so that it doesn't clutter up the log. # SMB(A_REJECT) A_DropUPnP # # Drop 'newnotsyn' traffic so that it doesn't get logged. # dropNotSyn(audit) - - tcp # # Drop late-arriving DNS replies. These are just a nuisance and clutter up # the log. # A_DropDNSrep