- # same as shorewall 'Reject', which is equal to Reject,
- # but REJECT/DROP some packages to reduce logging,
- # and ACCEPT critical ICMP types
- { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth'
- # we are not interested in BROADCAST/MULTICAST/ANYCAST
- { action => 'PVEFW-DropBroadcast' },
- # ACCEPT critical ICMP types
- { action => 'ACCEPT', proto => 'icmpv6', dport => 'destination-unreachable' },
- { action => 'ACCEPT', proto => 'icmpv6', dport => 'time-exceeded' },
- { action => 'ACCEPT', proto => 'icmpv6', dport => 'packet-too-big' },
-
- # Drop packets with INVALID state
- "-m conntrack --ctstate INVALID -j DROP",
- # Drop Microsoft SMB noise
- { action => 'PVEFW-reject', proto => 'udp', dport => '135,445', nbdport => 2 },
- { action => 'PVEFW-reject', proto => 'udp', dport => '137:139'},
- { action => 'PVEFW-reject', proto => 'udp', dport => '1024:65535', sport => 137 },
- { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445', nbdport => 3 },
- { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP
- # Drop new/NotSyn traffic so that it doesn't get logged
- "-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP",
- # Drop DNS replies
- { action => 'DROP', proto => 'udp', sport => 53 },
+ # same as shorewall 'Reject', which is equal to Reject,
+ # but REJECT/DROP some packages to reduce logging,
+ # and ACCEPT critical ICMP types
+ { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth'
+ # we are not interested in BROADCAST/MULTICAST/ANYCAST
+ { action => 'PVEFW-DropBroadcast' },
+ # ACCEPT critical ICMP types
+ { action => 'ACCEPT', proto => 'icmpv6', dport => 'destination-unreachable' },
+ { action => 'ACCEPT', proto => 'icmpv6', dport => 'time-exceeded' },
+ { action => 'ACCEPT', proto => 'icmpv6', dport => 'packet-too-big' },
+ # Drop packets with INVALID state
+ { action => 'DROP', match => '-m conntrack --ctstate INVALID', },
+ # Drop Microsoft SMB noise
+ { action => 'PVEFW-reject', proto => 'udp', dport => '135,445' },
+ { action => 'PVEFW-reject', proto => 'udp', dport => '137:139' },
+ { action => 'PVEFW-reject', proto => 'udp', dport => '1024:65535', sport => 137 },
+ { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445' },
+ { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP
+ # Drop new/NotSyn traffic so that it doesn't get logged
+ { action => 'DROP', match => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN' },
+ # Drop DNS replies
+ { action => 'DROP', proto => 'udp', sport => 53 },