# # Shorewall version 4 - Reject Action # # /usr/share/shorewall/action.Reject # # The default REJECT action common rules # # This action is invoked before a REJECT policy is enforced. The purpose # of the action is: # # a) Avoid logging lots of useless cruft. # b) Ensure that certain ICMP packets that are necessary for successful # internet operation are always ACCEPTed. # # The action accepts five optional parameters: # # 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin # actions. # 2 - Action to take with Auth requests. Default is REJECT or A_REJECT, # depending on the setting of the first parameter. # 3 - Action to take with SMB requests. Default is REJECT or A_REJECT, # depending on the setting of the first parameter. # 4 - Action to take with required ICMP packets. Default is ACCEPT or # A_ACCEPT depending on the first parameter. # 5 - Action to take with late UDP replies (UDP source port 53). Default # is DROP or A_DROP depending on the first parameter. # # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! ############################################################################### FORMAT 2 # # The following magic provides different defaults for $2 thru $5, when $1 is # 'audit'. # BEGIN PERL use Shorewall::Config; my ( $p1, $p2, $p3 , $p4, $p5, $p6 ) = get_action_params( 6 ); fatal_error "Too many parameters to Reject" if defined $p6; if ( defined $p1 ) { if ( $p1 eq 'audit' ) { set_action_param( 2, 'A_REJECT') unless defined( $p2 ) && $p2 ne '-'; set_action_param( 3, 'A_REJECT') unless defined( $p3 ) && $p3 ne '-'; set_action_param( 4, 'A_ACCEPT' ) unless defined( $p5 ) && $p4 ne '-'; set_action_param( 5, 'A_DROP' ) unless defined( $p5 ) && $p5 ne '-'; } else { fatal_error "Invalid value ($p1) for first Reject parameter" unless $p1 eq '-'; } } 1; END PERL DEFAULTS -,REJECT,REJECT,ACCEPT,DROP #TARGET SOURCE DEST PROTO # # Count packets that come through here # COUNT # # Don't log 'auth' -- REJECT # Auth($2) # # Drop Broadcasts so they don't clutter up the log # (broadcasts must *not* be rejected). # dropBcast($1) # # ACCEPT critical ICMP types # AllowICMPs($4) - - icmp # # Drop packets that are in the INVALID state -- these are usually ICMP packets # and just confuse people when they appear in the log (these ICMPs cannot be # rejected). # dropInvalid($1) # # Reject Microsoft noise so that it doesn't clutter up the log. # SMB($3) DropUPnP($5) # # Drop 'newnotsyn' traffic so that it doesn't get logged. # dropNotSyn($1) - - tcp # # Drop late-arriving DNS replies. These are just a nuisance and clutter up # the log. # DropDNSrep($5)