diff --git a/Samples/one-interface/policy b/Samples/one-interface/policy
index 865f3de87..8d8d43d86 100644
--- a/Samples/one-interface/policy
+++ b/Samples/one-interface/policy
@@ -84,6 +84,8 @@
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 $FW		net		ACCEPT
+$FW		net		REJECT		info
+net		$FW		DROP		info
 net		all		DROP		info
 # The FOLLOWING POLICY MUST BE LAST
 all		all		REJECT		info
diff --git a/Samples/three-interfaces/policy b/Samples/three-interfaces/policy
index 4d9c2f529..e50f6166b 100644
--- a/Samples/three-interfaces/policy
+++ b/Samples/three-interfaces/policy
@@ -83,14 +83,59 @@
 #
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+
+#
+# Note about policies and logging:
+#	This file contains an explicit policy for every combination of
+#	zones defined in this sample.  This is solely for the purpose of
+#	providing more specific messages in the logs.  This is not
+#	necessary for correct operation of the firewall, but greatly
+#	assists in diagnosing problems.
+#
+
+#
+# Policies for traffic originating from the local LAN (loc)
+#
+# If you want to force clients to access the Internet via a proxy server
+# in your DMZ, change the following policy to REJECT info.
 loc		net		ACCEPT
-# If you want open access to the Internet from your Firewall
-# remove the comment from the following line.
-#$FW		net		ACCEPT
-# Also If You Wish To Open Up DMZ Access To The Internet
-# remove the comment from the following line.
-#dmz		net		ACCEPT
+# If you want open access to DMZ from loc, change the following policy
+# to ACCEPT.  (If you chose not to do this, you will need to add a rule
+# for each service in the rules file.)
+loc		dmz		REJECT		info
+loc		$FW		REJECT		info
+loc		all		REJECT		info
+
+#
+# Policies for traffic originating from the firewall ($FW)
+#
+# If you want open access to the Internet from your firewall, change the
+# following policy to ACCEPT.
+$FW		net		REJECT		info
+$FW		dmz		REJECT		info
+$FW		loc		REJECT		info
+$FW		all		REJECT		info
+
+#
+# Policies for traffic originating from the De-Militarized Zone (dmz)
+#
+# If you want open access from DMZ to the Internet change the following
+# policy to ACCEPT.  This may be useful if you run a proxy server in
+# your DMZ.
+dmz		net		REJECT		info
+dmz		$FW		REJECT		info
+dmz		loc		REJECT		info
+dmz		all		REJECT		info
+
+#
+# Policies for traffic originating from the Internet zone (net)
+#
+net		dmz		DROP		info
+net		$FW		DROP		info
+net		loc		DROP		info
 net		all		DROP		info
+
 # THE FOLLOWING POLICY MUST BE LAST
 all		all		REJECT		info
+
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
diff --git a/Samples/two-interfaces/policy b/Samples/two-interfaces/policy
index 320a0ddb7..4d1f953d1 100644
--- a/Samples/two-interfaces/policy
+++ b/Samples/two-interfaces/policy
@@ -83,11 +83,43 @@
 #
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+
+#
+# Note about policies and logging:
+#	This file contains an explicit policy for every combination of
+#	zones defined in this sample.  This is solely for the purpose of
+#	providing more specific messages in the logs.  This is not
+#	necessary for correct operation of the firewall, but greatly
+#	assists in diagnosing problems.
+#
+
+#
+# Policies for traffic originating from the local LAN (loc)
+#
+# If you want to force clients to access the Internet via a proxy server
+# on your firewall, change the following policy to REJECT info.
 loc		net		ACCEPT
-# If you want open access to the Internet from your Firewall
-# remove the comment from the following line.
-#$FW		net		ACCEPT
+loc		$FW		REJECT		info
+loc		all		REJECT		info
+
+#
+# Policies for traffic originating from the firewall ($FW)
+#
+# If you want open access to the Internet from your firewall, change the
+# following policy to ACCEPT.  This may be useful if you run a proxy
+# server on the firewall.
+$FW		net		REJECT		info
+$FW		loc		REJECT		info
+$FW		all		REJECT		info
+
+#
+# Policies for traffic originating from the Internet zone (net)
+#
+net		$FW		DROP		info
+net		loc		DROP		info
 net		all		DROP		info
+
 # THE FOLLOWING POLICY MUST BE LAST
 all		all		REJECT		info
+
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE