macro.drop

sharewall is very good

#
# Shorewall version 4 - Drop Macro
#
# /usr/share/shorewall/macro.Drop
#
#	This macro generates the same rules as the Drop default action
#	It is used in place of action.Drop when USE_ACTIONS=No.
#
#	Example:
#
#		Drop	net	all
#
###############################################################################
#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
#				PORT(S)	PORT(S)	LIMIT	GROUP
#
# Don't log 'auth' REJECT
#
REJECT	-	-	tcp	113
#
# Drop Broadcasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
dropBcast
#
# ACCEPT critical ICMP types
#
ACCEPT	-	-	icmp	fragmentation-needed
ACCEPT	-	-	icmp	time-exceeded
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log (these ICMPs cannot be
# rejected).
#
dropInvalid
#
# Drop Microsoft noise so that it doesn't clutter up the log.
#
DROP	-	-	udp	135,445
DROP	-	-	udp	137:139
DROP	-	-	udp	1024:	137
DROP	-	-	tcp	135,139,445
DROP	-	-	udp	1900
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DROP	-	-	udp	-	53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE