shorewall_code/Samples/one-interface/policy

106 lines
4.0 KiB
Plaintext
Raw Normal View History

#
# Shorewall version 3.2 - Sample Policy File for one-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#
#
# /etc/shorewall/policy
#
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file . For each
# source/destination pair, the file is processed in order until a
# match is found ("all" will match any client or server).
#
# INTRA-ZONE POLICIES ARE PRE-DEFINED
#
# For $FW and for all of the zoned defined in /etc/shorewall/zones,
# the POLICY for connections from the zone to itself is ACCEPT (with no
# logging or TCP connection rate limiting but may be overridden by an
# entry in this file. The overriding entry must be explicit (cannot use
# "all" in the SOURCE or DEST).
#
# Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, then
# the implicit policy to/from any sub-zone is CONTINUE. These implicit
# CONTINUE policies may also be overridden by an explicit entry in this
# file.
#
# Columns are:
#
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
#
# ACCEPT - Accept the connection
# DROP - Ignore the connection request
# REJECT - For TCP, send RST. For all other,
# send "port unreachable" ICMP.
# QUEUE - Send the request to a user-space
# application using the QUEUE target.
# CONTINUE - Pass the connection request past
# any other rules that it might also
# match (where the source or
# destination zone in those rules is
# a superset of the SOURCE or DEST
# in this policy).
# NONE - Assume that there will never be any
# packets from this SOURCE
# to this DEST. Shorewall will not set
# up any infrastructure to handle such
# packets and you may not have any
# rules with this SOURCE and DEST in
# the /etc/shorewall/rules file. If
# such a packet _is_ received, the
# result is undefined. NONE may not be
# used if the SOURCE or DEST columns
# contain the firewall zone ($FW) or
# "all".
#
# If this column contains ACCEPT, DROP or REJECT and a
# corresponding common action is defined in
# /etc/shorewall/actions (or
# /usr/share/shorewall/actions.std) then that action
# will be invoked before the policy named in this column
# is enforced.
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# If you don't want to log but need to specify the
# following column, place "-" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT
net $FW DROP info
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE