Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
input_ext all -- anywhere anywhere
input_int all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
forward_ext all -- anywhere anywhere
forward_int all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp time-exceeded LOG level warning tcp-options ip-options prefix `SFW2-OUT-TRACERT-ATTEMPT '
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp port-unreachable
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp network-prohibited
ACCEPT icmp -- anywhere anywhere icmp host-prohibited
ACCEPT icmp -- anywhere anywhere icmp communication-prohibited
DROP icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '
Chain forward_dmz (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-DROP-DEFLT-INV '
DROP all -- anywhere anywhere state INVALID
ACCEPT icmp -- anywhere anywhere state RELATED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp source-quench LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp redirect LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp echo-request LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp timestamp-request LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp address-mask-request LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp type 2 LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-DROP-ICMP-CRIT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-DROP-DEFLT '
DROP all -- anywhere anywhere
Chain forward_ext (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere state INVALID
ACCEPT icmp -- anywhere anywhere state RELATED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp source-quench LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp redirect LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp echo-request LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp timestamp-request LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp address-mask-request LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp type 2 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-ICMP-CRIT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
DROP all -- anywhere anywhere
Chain forward_int (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT-INV '
DROP all -- anywhere anywhere state INVALID
ACCEPT icmp -- anywhere anywhere state RELATED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp source-quench LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp redirect LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp echo-request LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp timestamp-request LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp address-mask-request LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp type 2 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-ICMP-CRIT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
DROP all -- anywhere anywhere
Chain input_dmz (0 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-DEFLT-INV '
DROP all -- anywhere anywhere state INVALID
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp source-quench LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp redirect LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp echo-request LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp timestamp-request LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp address-mask-request LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp type 2 LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-ICMP-CRIT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-DEFLT '
DROP all -- anywhere anywhere
Chain input_ext (1 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere state INVALID
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:netbios-ssn flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:microsoft-ds flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:netbios-dgm flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-dgm
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:netbios-ns flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ns
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:netbios-ssn flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn
reject_func tcp -- anywhere anywhere tcp dpt:ident state NEW
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp source-quench LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp redirect LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp echo-request LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp timestamp-request LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp address-mask-request LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp type 2 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-ICMP-CRIT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
DROP all -- anywhere anywhere
Chain input_int (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-DEFLT-INV '
DROP all -- anywhere anywhere state INVALID
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp source-quench LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp redirect LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp echo-request LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp timestamp-request LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp address-mask-request LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 icmp type 2 LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-ICMP-CRIT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-DEFLT '
DROP all -- anywhere anywhere
Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable