mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-08 16:54:10 +01:00
50 lines
1.2 KiB
Plaintext
50 lines
1.2 KiB
Plaintext
#
|
|
# Shorewall6 version 4 - Reject Action
|
|
#
|
|
# /usr/share/shorewall6/action.Reject
|
|
#
|
|
# The default REJECT action common rules
|
|
#
|
|
# This action is invoked before a REJECT policy is enforced. The purpose
|
|
# of the action is:
|
|
#
|
|
# a) Avoid logging lots of useless cruft.
|
|
# b) Ensure that certain ICMP packets that are necessary for successful
|
|
# internet operation are always ACCEPTed.
|
|
#
|
|
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
|
###############################################################################
|
|
#TARGET SOURCE DEST PROTO
|
|
#
|
|
# Don't log 'auth' -- REJECT
|
|
#
|
|
Auth(REJECT)
|
|
#
|
|
# Drop Multicasts so they don't clutter up the log
|
|
# (broadcasts must *not* be rejected).
|
|
#
|
|
dropBcast
|
|
#
|
|
# ACCEPT critical ICMP types
|
|
#
|
|
AllowICMPs - - ipv6-icmp
|
|
#
|
|
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
|
# and just confuse people when they appear in the log (these ICMPs cannot be
|
|
# rejected).
|
|
#
|
|
dropInvalid
|
|
#
|
|
# Reject Microsoft noise so that it doesn't clutter up the log.
|
|
#
|
|
SMB(REJECT)
|
|
#
|
|
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
|
#
|
|
dropNotSyn - - tcp
|
|
#
|
|
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
|
|
# the log.
|
|
#
|
|
DropDNSrep
|