Suricata

Currently firewall mode has a built-in behavior where it will drop by default on no rule-matches - https://docs.suricata.io/en/latest/firewall/firewall-design.html. There are many users that would prefer to have a default fail-close behavior that results in a reject action being applied rather than a drop, which would mean Suricata would send a TCP reset, similarly to how matches on reject rules for IPS/IDS rules work in non-firewall mode. The ask here is to add a yaml-level configuration for setting the default action for firewall mode and being able to specify that to be either DROP or REJECT.