# # Shorewall version 5 - Drop Action # # /usr/share/shorewall/action.Drop # # The default DROP common rules # # This action is invoked before a DROP policy is enforced. The purpose # of the action is: # # a) Avoid logging lots of useless cruft. # b) Ensure that certain ICMP packets that are necessary for successful # internet operation are always ACCEPTed. # # The action accepts five optional parameters: # # 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin # actions. # 2 - Action to take with Auth requests. Default is to do nothing special # with them. # 3 - Action to take with SMB requests. Default is DROP or A_DROP, # depending on the setting of the first parameter. # 4 - Action to take with required ICMP packets. Default is ACCEPT or # A_ACCEPT depending on the first parameter. # 5 - Action to take with late UDP replies (UDP source port 53). Default # is DROP or A_DROP depending on the first parameter. # # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! # ############################################################################### ?if passed(@1) ?if @1 eq 'audit' DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP ?else ?error The first parameter to Drop must be 'audit' or '-' ?endif ?else DEFAULTS -,-,DROP,ACCEPT,DROP ?endif #TARGET SOURCE DEST PROTO DPORT SPORT # # Count packets that come through here # COUNT # # Special Handling for Auth # ?if passed(@2) Auth(@2) ?endif # # Don't log broadcasts # Broadcast(DROP,@1) # # ACCEPT critical ICMP types # AllowICMPs(@4) - - icmp # # Drop packets that are in the INVALID state -- these are usually ICMP packets # and just confuse people when they appear in the log. # Invalid(DROP,@1) # # Drop Microsoft noise so that it doesn't clutter up the log. # SMB(@3) DropUPnP # # Drop 'newnotsyn' traffic so that it doesn't get logged. # NotSyn(DROP,@1) - - tcp # # Drop late-arriving DNS replies. These are just a nuisance and clutter up # the log. # DropDNSrep(@5)