diff --git a/manpages/shorewall-policy.xml b/manpages/shorewall-policy.xml new file mode 100644 index 000000000..b113994c3 --- /dev/null +++ b/manpages/shorewall-policy.xml @@ -0,0 +1,237 @@ + + + + shorewall-policy + + 5 + + + + policy + + Shorewall policy file + + + + + /etc/shorewall/policy + + + + + Description + + This file defines the high-level policy for connections between + zones defined in /etc/shorewall/zones. + + + The order of entries in this file is important + + This file determines what to do with a new connection request if + we don't get a match from the /etc/shorewall/rules file . For each + source/destination pair, the file is processed in order until a match is + found ("all" will match any client or server). + + + + Intra-zone policies are pre-defined + + For $FW and for all of the zoned defined in /etc/shorewall/zones, + the POLICY for connections from the zone to itself is ACCEPT (with no + logging or TCP connection rate limiting but may be overridden by an + entry in this file. The overriding entry must be explicit (cannot use + "all" in the SOURCE or DEST). + + Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, + then the implicit policy to/from any sub-zone is CONTINUE. These + implicit CONTINUE policies may also be overridden by an explicit entry + in this file. + + + The columns in the file are as follows. + + + + SOURCE + + + Source zone. Must be the name of a zone defined in + /etc/shorewall/zones, $FW or "all". + + + + + DEST + + + Destination zone. Must be the name of a zone defined in + /etc/shorewall/zones, $FW or "all" + + + + + POLICY + + + Policy if no match from the rules file is found. Must be + "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE". + + + + ACCEPT + + + Accept the connection. + + + + + DROP + + + Ignore the connection request. + + + + + REJECT + + + For TCP, send RST. For all other, send an "unreachable" + ICMP. + + + + + CONTINUE + + + Pass the connection request past any other rules that it + might also match (where the source or destination zone in + those rules is a superset of the SOURCE or DEST in this + policy). + + + + + NONE + + + Assume that there will never be any packets from this + SOURCE to this DEST. Shorewall will not create any + infrastructure to handle such packets and you may not have any + rules with this SOURCE and DEST in the /etc/shorewall/rules + file such a packet _is_ received, the result is undefined. + NONE may not be used if the SOURCE or DEST columns contain the + firewall zone ($FW) or "all". + + + + + If the policy is DROP or REJECT then the policy may be + followed by ":" and one of the following: + + + + The word "None" or "none". This causes any default action + defined in /etc/shorewall/shorewall.conf to be omitted for this + policy. + + + + The name of an action (requires that USE_ACTIONS=Yes in + shorewall.conf). That action will be invoked before the policy + is enforced. + + + + The name of a macro. The rules in that macro will be + applied before the policy is enforced. This does not require + USE_ACTIONS=Yes. + + + + + + + LOG LEVEL (Optional) + + + If supplied, each connection handled under the default POLICY + is logged at that level. If not supplied, no log message is + generated. See syslog.conf(5) for a description of log + levels. + + You may also specify ULOG (must be in upper case). This will + log to the ULOG target and sent to a separate log through use of + ulogd (http://www.gnumonks.org/projects/ulogd). + + If you don't want to log but need to specify the following + column, place "-" here. + + + + + BURST:LIMIT + + + If passed, specifies the maximum TCP connection rate and the + size of an acceptable burst. If not specified, TCP connections are + not limited. + + + + + + + Example + + + + All connections from the local network to the internet are + allowed + + + + All connections from the internet are ignored but logged at + syslog level KERNEL.INFO. + + + + All other connection requests are rejected and logged at level + KERNEL.INFO. + + + + #SOURCE DEST POLICY LOG BURST:LIMIT +# LEVEL +loc net ACCEPT +net all DROP info +# +# THE FOLLOWING POLICY MUST BE LAST +# +all all REJECT info + + + + FILES + + /etc/shorewall/policy + + + + See ALSO + + http://shorewall.net/Documentation.htm#Policy + + shorewall(8), shorewall-accounting(5), shorewall-actions(5), + shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), + shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), + shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), + shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), + shorewall-route_routes(5), shorewall-routestopped(5), shorewall-rules(5), + shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), + shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), + shorewall-zones(5) + + \ No newline at end of file diff --git a/manpages/shorewall-zones.xml b/manpages/shorewall-zones.xml index f3b54f0a9..0d8560855 100644 --- a/manpages/shorewall-zones.xml +++ b/manpages/shorewall-zones.xml @@ -59,7 +59,7 @@ Example: - #ZONE TYPE OPTIONS + #ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS a ipv4 b ipv4 c:a,b ipv4