forked from extern/shorewall_code
35 lines
1.4 KiB
Plaintext
35 lines
1.4 KiB
Plaintext
|
############################################################################
|
||
|
# Shorewall 1.2 -- /etc/shorewall/common.def
|
||
|
#
|
||
|
# This file defines the rules that are applied before a policy of
|
||
|
# DROP or REJECT is applied. In addition to the rules defined in this file,
|
||
|
# the firewall will also define a DROP rule for each subnet broadcast
|
||
|
# address defined in /etc/shorewall/interfaces (including "detect").
|
||
|
#
|
||
|
# Do not modify this file -- if you wish to change these rules, copy this
|
||
|
# file to /etc/shorewall/common and modify that file.
|
||
|
#
|
||
|
run_iptables -A common -p icmp -j icmpdef
|
||
|
############################################################################
|
||
|
# accept ACKs and RSTs that aren't related to any session so that the
|
||
|
# protocol stack can handle them
|
||
|
#
|
||
|
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
|
||
|
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
|
||
|
############################################################################
|
||
|
# NETBIOS chatter
|
||
|
#
|
||
|
run_iptables -A common -p udp --dport 137:139 -j DROP
|
||
|
run_iptables -A common -p udp --dport 445 -j DROP
|
||
|
############################################################################
|
||
|
# BROADCASTS
|
||
|
#
|
||
|
run_iptables -A common -d 255.255.255.255 -j DROP
|
||
|
run_iptables -A common -d 224.0.0.0/4 -j DROP
|
||
|
#
|
||
|
# The following rule is non-standard and compensates for tardy
|
||
|
# DNS replies
|
||
|
#
|
||
|
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
|
||
|
|