# # Shorewall version 3.4 - Sample Policy File for three-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. # # # /etc/shorewall/policy # # THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT # # This file determines what to do with a new connection request if we # don't get a match from the /etc/shorewall/rules file . For each # source/destination pair, the file is processed in order until a # match is found ("all" will match any client or server). # # INTRA-ZONE POLICIES ARE PRE-DEFINED # # For $FW and for all of the zoned defined in /etc/shorewall/zones, # the POLICY for connections from the zone to itself is ACCEPT (with no # logging or TCP connection rate limiting but may be overridden by an # entry in this file. The overriding entry must be explicit (cannot use # "all" in the SOURCE or DEST). # # Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, then # the implicit policy to/from any sub-zone is CONTINUE. These implicit # CONTINUE policies may also be overridden by an explicit entry in this # file. # # Columns are: # # SOURCE Source zone. Must be the name of a zone defined # in /etc/shorewall/zones, $FW or "all". # # DEST Destination zone. Must be the name of a zone defined # in /etc/shorewall/zones, $FW or "all" # # POLICY Policy if no match from the rules file is found. Must # be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE". # # ACCEPT - Accept the connection # DROP - Ignore the connection request # REJECT - For TCP, send RST. For all other, # send "port unreachable" ICMP. # QUEUE - Send the request to a user-space # application using the QUEUE target. # CONTINUE - Pass the connection request past # any other rules that it might also # match (where the source or # destination zone in those rules is # a superset of the SOURCE or DEST # in this policy). # NONE - Assume that there will never be any # packets from this SOURCE # to this DEST. Shorewall will not set # up any infrastructure to handle such # packets and you may not have any # rules with this SOURCE and DEST in # the /etc/shorewall/rules file. If # such a packet _is_ received, the # result is undefined. NONE may not be # used if the SOURCE or DEST columns # contain the firewall zone ($FW) or # "all". # # If this column contains ACCEPT, DROP or REJECT and a # corresponding common action is defined in # /etc/shorewall/actions (or # /usr/share/shorewall/actions.std) then that action # will be invoked before the policy named in this column # is enforced. # # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no # log message is generated. See syslog.conf(5) for a # description of log levels. # # Beginning with Shorewall version 1.3.12, you may # also specify ULOG (must be in upper case). This will # log to the ULOG target and sent to a separate log # through use of ulogd # (http://www.gnumonks.org/projects/ulogd). # # If you don't want to log but need to specify the # following column, place "-" here. # # LIMIT:BURST If passed, specifies the maximum TCP connection rate # and the size of an acceptable burst. If not specified, # TCP connections are not limited. # # See http://shorewall.net/Documentation.htm#Policy for additional information. # ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST # # Note about policies and logging: # This file contains an explicit policy for every combination of # zones defined in this sample. This is solely for the purpose of # providing more specific messages in the logs. This is not # necessary for correct operation of the firewall, but greatly # assists in diagnosing problems. # # # Policies for traffic originating from the local LAN (loc) # # If you want to force clients to access the Internet via a proxy server # in your DMZ, change the following policy to REJECT info. loc net ACCEPT # If you want open access to DMZ from loc, change the following policy # to ACCEPT. (If you chose not to do this, you will need to add a rule # for each service in the rules file.) loc dmz REJECT info loc $FW REJECT info loc all REJECT info # # Policies for traffic originating from the firewall ($FW) # # If you want open access to the Internet from your firewall, change the # $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL. $FW net REJECT info $FW dmz REJECT info $FW loc REJECT info $FW all REJECT info # # Policies for traffic originating from the De-Militarized Zone (dmz) # # If you want open access from DMZ to the Internet change the following # policy to ACCEPT. This may be useful if you run a proxy server in # your DMZ. dmz net REJECT info dmz $FW REJECT info dmz loc REJECT info dmz all REJECT info # # Policies for traffic originating from the Internet zone (net) # net dmz DROP info net $FW DROP info net loc DROP info net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE