shorewall_code/Shorewall6/action.AReject
Tom Eastep c5b38de69c Add Audited Standard IPv6 Default Actions
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-05-24 07:17:25 -07:00

51 lines
1.3 KiB
Plaintext

#
# Shorewall6 version 4 - Audited Reject Action
#
# /usr/share/shorewall6/action.AReject
#
# The audited default REJECT action common rules
#
# This action is invoked before a REJECT policy is enforced. The purpose
# of the action is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
###############################################################################
#TARGET SOURCE DEST PROTO
#
# Don't log 'auth' -- REJECT
#
Auth(A_REJECT)
#
# Drop Multicasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
AAllowICMPs - - ipv6-icmp
#
# Drop Broadcasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
dropBcast(audit)
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log (these ICMPs cannot be
# rejected).
#
dropInvalid(audit)
#
# Reject Microsoft noise so that it doesn't clutter up the log.
#
SMB(A_REJECT)
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn(audit) - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
ADropDNSrep