# # Shorewall6 version 5 - Audited Drop Action # # /usr/share/shorewall6/action.ADrop # # The Audited default DROP common rules # # This action is invoked before a DROP policy is enforced. The purpose # of the action is: # # a) Avoid logging lots of useless cruft. # b) Ensure that 'auth' requests are rejected, even if the policy is # DROP. Otherwise, you may experience problems establishing # connections with servers that use auth. # c) Ensure that certain ICMP packets that are necessary for successful # internet operation are always ACCEPTed. # # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! # ############################################################################### #TARGET SOURCE DEST PROTO DPORT SPORT # # Reject 'auth' # Auth(A_REJECT) # # ACCEPT critical ICMP types # A_AllowICMPs - - ipv6-icmp # # Drop Broadcasts so they don't clutter up the log # (broadcasts must *not* be rejected). # dropBcast(audit) # # Drop packets that are in the INVALID state -- these are usually ICMP packets # and just confuse people when they appear in the log. # dropInvalid(audit) # # Drop Microsoft noise so that it doesn't clutter up the log. # SMB(A_DROP) # # Drop 'newnotsyn' traffic so that it doesn't get logged. # dropNotSyn(audit) - - tcp # # Drop late-arriving DNS replies. These are just a nuisance and clutter up # the log. # A_DropDNSrep