# # Shorewall version 3.2 - Policy File # # /etc/shorewall/policy # # THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT # # This file determines what to do with a new connection request if we # don't get a match from the /etc/shorewall/rules file . For each # source/destination pair, the file is processed in order until a # match is found ("all" will match any client or server). # # INTRA-ZONE POLICIES ARE PRE-DEFINED # # For $FW and for all of the zoned defined in /etc/shorewall/zones, # the POLICY for connections from the zone to itself is ACCEPT (with no # logging or TCP connection rate limiting but may be overridden by an # entry in this file. The overriding entry must be explicit (cannot use # "all" in the SOURCE or DEST). # # Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, then # the implicit policy to/from any sub-zone is CONTINUE. These implicit # CONTINUE policies may also be overridden by an explicit entry in this # file. # # Columns are: # # SOURCE Source zone. Must be the name of a zone defined # in /etc/shorewall/zones, $FW or "all". # # DEST Destination zone. Must be the name of a zone defined # in /etc/shorewall/zones, $FW or "all" # # POLICY Policy if no match from the rules file is found. Must # be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE". # # ACCEPT - Accept the connection # DROP - Ignore the connection request # REJECT - For TCP, send RST. For all other, # send "port unreachable" ICMP. # QUEUE - Send the request to a user-space # application using the QUEUE target. # CONTINUE - Pass the connection request past # any other rules that it might also # match (where the source or # destination zone in those rules is # a superset of the SOURCE or DEST # in this policy). # NONE - Assume that there will never be any # packets from this SOURCE # to this DEST. Shorewall will not set # up any infrastructure to handle such # packets and you may not have any # rules with this SOURCE and DEST in # the /etc/shorewall/rules file. If # such a packet _is_ received, the # result is undefined. NONE may not be # used if the SOURCE or DEST columns # contain the firewall zone ($FW) or # "all". # # If USE_ACTIONS=Yes in shorewall.conf (or if that # option is not set) then if this column contains ACCEPT, # DROP, or REJECT and a corresponding default action # is defined in /etc/shorewall/actions (or # /usr/share/shorewall/actions.std) then that action # will be invoked before the policy named in this column # is enforced. # # If USE_ACTIONS=No in shorewall.conf then ACCEPT,DROP # REJECT may be optionally followed by ":" and the name # of a macro. The rules in the macro will be expanded # and packets will pass through the rules prior to # the policy being applied. # # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no # log message is generated. See syslog.conf(5) for a # description of log levels. # # Beginning with Shorewall version 1.3.12, you may # also specify ULOG (must be in upper case). This will # log to the ULOG target and sent to a separate log # through use of ulogd # (http://www.gnumonks.org/projects/ulogd). # # If you don't want to log but need to specify the # following column, place "-" here. # # LIMIT:BURST If passed, specifies the maximum TCP connection rate # and the size of an acceptable burst. If not specified, # TCP connections are not limited. # # Example: # # a) All connections from the local network to the internet are allowed # b) All connections from the internet are ignored but logged at syslog # level KERNEL.INFO. # d) All other connection requests are rejected and logged at level # KERNEL.INFO. # # #SOURCE DEST POLICY LOG # # LEVEL # loc net ACCEPT # net all DROP info # # # # THE FOLLOWING POLICY MUST BE LAST # # # all all REJECT info # # See http://shorewall.net/Documentation.htm#Policy for additional information. # ############################################################################### #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL #LAST LINE -- DO NOT REMOVE