shorewall_code/Shorewall/common.def

############################################################################
# Shorewall 1.3 -- /etc/shorewall/common.def
#
# This file defines the rules that are applied before a policy of 
# DROP or REJECT is applied. In addition to the rules defined in this file,
# the firewall will also define a DROP rule for each subnet broadcast
# address defined in /etc/shorewall/interfaces (including "detect").
#
# Do not modify this file -- if you wish to change these rules, copy this
# file to /etc/shorewall/common and modify that file.
#
run_iptables -A common -p icmp -j icmpdef
############################################################################
# accept ACKs and RSTs that aren't related to any session so that the 
# protocol stack can handle them
#
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
############################################################################
# NETBIOS chatter
#
run_iptables -A common -p udp --dport 137:139     -j REJECT
run_iptables -A common -p udp --dport 445         -j REJECT
run_iptables -A common -p tcp --dport 135	  -j reject
############################################################################
# UPnP
#
run_iptables -A common -p udp --dport 1900	  -j DROP
############################################################################
# BROADCASTS
#
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4     -j DROP
############################################################################
# AUTH -- Reject it so that connections don't get delayed.
#
run_iptables -A common -p tcp --dport 113 -j reject