[Shorewall-users] Default Actions and actions.std

Tom Eastep teastep at shorewall.net
Sat Mar 12 08:47:53 PST 2005


Matt "Cyber Dog" LaPlante wrote:
> My
> concern when first learning Shorewall was that these default actions were in
> fact altering the firewall and opening ports on me.  I just want to confirm
> that this is not the case.  Thanks!

Shorewall PRE-processes all actions listed in either
/usr/share/shorewall/actions.std and /etc/shorewall/actions.
Pre-processing is done to build a dependency graph and that's all.

Unless a particular action is invoked (either directly or indirectly),
it causes no Netfilter rules to be generated.

The 'Drop' and 'Reject' actions are always generated (unless you have
specified different common actions for the DROP and/or REJECT policies
respectively. These actions are designed to:

a) Cut down on the amount of clutter in your logs by silently dropping
or rejecting certain traffic (remember that it is going to be dropped or
rejected anyway).

c) Ensure correctness by allowing essential ICMP traffic and by
rejecting AUTH requests to avoid connection timeout problems to servers
that use AUTH.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


More information about the Shorewall-users mailing list