/usr/share/shorewall6/action.Reject is in shorewall6 5.0.4-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 | #
# Shorewall6 version 5 - Reject Action
#
# /usr/share/shorewall6/action.Reject
#
# The default REJECT action common rules
#
# This action is invoked before a REJECT policy is enforced. The purpose
# of the action is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed.
#
# The action accepts five optional parameters:
#
# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
# actions.
# 2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
# depending on the setting of the first parameter.
# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
# depending on the setting of the first parameter.
# 4 - Action to take with required ICMP packets. Default is ACCEPT or
# A_ACCEPT depending on the first parameter.
# 5 - Action to take with late UDP replies (UDP source port 53). Default
# is DROP or A_DROP depending on the first parameter.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
###############################################################################
#
# The following magic provides different defaults for $2 thru $5, when $1 is
# 'audit'.
#
?begin perl;
use Shorewall::Config;
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
if ( defined $p1 ) {
if ( $p1 eq 'audit' ) {
set_action_param( 2, 'A_REJECT') unless supplied $p2;
set_action_param( 3, 'A_REJECT') unless supplied $p3;
set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
set_action_param( 5, 'A_DROP' ) unless supplied $p5;
} else {
fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
}
}
1;
?end perl;
DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
#TARGET SOURCE DEST PROTO
#
# Don't log 'auth' -- REJECT
#
Auth($2)
#
# Drop Multicasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
AllowICMPs($4) - - ipv6-icmp
#
# Drop Broadcasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
Broadcast(DROP,$1)
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log (these ICMPs cannot be
# rejected).
#
Invalid(DROP,$1)
#
# Reject Microsoft noise so that it doesn't clutter up the log.
#
SMB($3)
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
NotSyn(DROP,$1) - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DropDNSrep($5)
|