mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-30 10:08:52 +01:00
bc6a38ca64
Signed-off-by: Tom Eastep <teastep@shorewall.net>
98 lines
2.5 KiB
Plaintext
98 lines
2.5 KiB
Plaintext
#
|
|
# Shorewall version 4 - Drop Action
|
|
#
|
|
# /usr/share/shorewall/action.Drop
|
|
#
|
|
# The default DROP common rules
|
|
#
|
|
# This action is invoked before a DROP policy is enforced. The purpose
|
|
# of the action is:
|
|
#
|
|
# a) Avoid logging lots of useless cruft.
|
|
# b) Allow 'auth' requests rejected rejected, even if the policy is
|
|
# DROP. Otherwise, you may experience problems establishing
|
|
# connections with servers that use auth.
|
|
# c) Ensure that certain ICMP packets that are necessary for successful
|
|
# internet operation are always ACCEPTed.
|
|
#
|
|
# The action accepts five optional parameters:
|
|
#
|
|
# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
|
|
# actions.
|
|
# 2 - Action to take with Auth requests. Default is to do nothing special
|
|
# with them.
|
|
# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
|
|
# depending on the setting of the first parameter.
|
|
# 4 - Action to take with required ICMP packets. Default is ACCEPT or
|
|
# A_ACCEPT depending on the first parameter.
|
|
# 5 - Action to take with late UDP replies (UDP source port 53). Default
|
|
# is DROP or A_DROP depending on the first parameter.
|
|
#
|
|
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
|
#
|
|
###############################################################################
|
|
?FORMAT 2
|
|
#
|
|
# The following magic provides different defaults for @2 thru @5, when @1 is
|
|
# 'audit'.
|
|
#
|
|
?BEGIN PERL;
|
|
use Shorewall::Config;
|
|
|
|
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
|
|
|
|
if ( defined $p1 ) {
|
|
if ( $p1 eq 'audit' ) {
|
|
set_action_param( 3, 'A_DROP') unless supplied $p3;
|
|
set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
|
|
set_action_param( 5, 'A_DROP' ) unless supplied $p5;
|
|
} else {
|
|
fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
|
|
}
|
|
}
|
|
|
|
1;
|
|
|
|
?END PERL;
|
|
|
|
DEFAULTS -,-,DROP,ACCEPT,DROP
|
|
|
|
#TARGET SOURCE DEST PROTO DPORT SPORT
|
|
#
|
|
# Count packets that come through here
|
|
#
|
|
COUNT
|
|
#
|
|
# Special Handling for Auth
|
|
#
|
|
?if @2 ne '-'
|
|
Auth(@2)
|
|
?endif
|
|
#
|
|
# Don't log broadcasts
|
|
#
|
|
Broadcast(DROP,@1)
|
|
#
|
|
# ACCEPT critical ICMP types
|
|
#
|
|
AllowICMPs(@4) - - icmp
|
|
#
|
|
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
|
# and just confuse people when they appear in the log.
|
|
#
|
|
Invalid(DROP,@1)
|
|
#
|
|
# Drop Microsoft noise so that it doesn't clutter up the log.
|
|
#
|
|
SMB(@3)
|
|
DropUPnP(@5)
|
|
#
|
|
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
|
#
|
|
NotSyn(DROP,@1) - - tcp
|
|
#
|
|
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
|
|
# the log.
|
|
#
|
|
DropDNSrep(@5)
|