# # Shorewall 2.2 -- Sample Policy File For One Interface # # /etc/shorewall/policy # # THE ORDER OF ENTRYS IN THIS FILE IS IMPORTANT! # # This file determines what to do with a new connection request if we # don't get a match from the /etc/shorewall/rules file For each # source/destination pair, the file is processed in order until a # match is found ("all" will match any client or server). # # Columns are: # # SOURCE Source zone. Must be the name of a zone defined # in /etc/shorewall/zones, $FW or "all". # # DEST Destination zone. Must be the name of a zone defined # in /etc/shorewall/zones, $FW or "all" # # POLICY Policy if no match from the rules file is found. Must # be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE" # # ACCEPT # Accept the connection # DROP # Ignore the connection request. # REJECT # For TCP, send RST. For all other, send # "port unreachable" ICMP. # CONTINUE # Pass the connection request past # any other rules that it might also # match (where the source or destination # zone in those rules is a superset of # the SOURCE or DEST in this policy) # NONE # Assume that there will never be any # packets from this SOURCE to this # DEST. Shorewall will not set up any # infrastructure to handle such packets # and you may not have any rules with # this SOURCE and DEST in the /etc/shorewall/rules # file. If such a packet is received the result # is undefined. NONE may not be used if the # SOURCE or DEST columns contain the firewall # zone ($FW) or "all". # # If this column contains ACCEPT, DROP or REJECT and a # corresonding common action is defined in # /etc/shorewall/actions (or /usr/share/shorewall/actions.std) # then that action will be invoked before the policy named in # this column is inforced. # # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no # log message is generated. See syslog.conf(5) for a # description of log levels. # # Beginning with Shorewall version 1.3.12, you may # also specify ULOG (must be in upper case). This will # log to the ULOG target and sent to a separate log # through use of ulogd (http://www.gnumonks.org/projects/ulogd). # # If you don't want to log but need to specify the # following column, place "_" here. # # LIMIT:BURST If passed, specifies the maximum TCP connection rate # and the size of an acceptable burst. If not specified, # TCP connections are not limited. # # As shipped, the default policies are: # # a) All connections from the Firewall to the Internet are allowed # b) All connections from the Internet are ignored but logged at syslog # level KERNEL.INFO. # d) All other connection requests are rejected and logged at level # KERNEL.INFO. ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST fw net ACCEPT net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE