#
# Shorewall -- /usr/share/shorewall/action.A_Drop
#
# The audited default DROP common rules
#
# This action is invoked before a DROP policy is enforced. The purpose
# of the action is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that certain ICMP packets that are necessary for successful
#    internet operation are always ACCEPTed.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
#
?require AUDIT_TARGET
?warning "You are using the deprecated A_Drop default action. Please see http://www.shorewall.net/Actions.html
###############################################################################
#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
#
# Count packets that come through here
#
COUNT
#
# Special Handling for Auth
#
Auth(A_DROP)
#
# ACCEPT critical ICMP types
#
# For IPv6 connectivity ipv6-icmp broadcasting is required so
# AllowICMPs must be before broadcast Drop.
#
A_AllowICMPs	-	-	icmp
#
# Don't log broadcasts and multicasts
#
dropBcast(audit)
dropMcast(audit)
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log.
#
dropInvalid(audit)
#
# Drop Microsoft noise so that it doesn't clutter up the log.
#
SMB(A_DROP)
A_DropUPnP
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn(audit)	-	-	tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
A_DropDNSrep