#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST EXT

#
# Meta-policies - no ACCEPT/DNAT rules contravening these may be defined in
# the policy or rules file.  These are not part of shorewall and do not
# actually block any traffic.  They are about stopping the firewall
# administrator from activating silly rules.  Note that these rules should
# always be accompanied by a corresponding REJECT/BAN policy as they don't
# actually set the shorewall policy (see below for these).
#
# These policies are samples only and are not suggested for your
# environment.  You must decide on the policies that are right for you.
#

guest		lan		BAN
proxy		lan		BAN
mail		lan		BAN
og		lan		BAN
net		lan		BAN

proxy		guest		BAN
mail		guest		BAN
og		guest		BAN
net		guest		BAN

proxy		ig		BAN
mail		ig		BAN
og		ig		BAN
net		ig		BAN

net		proxy		BAN

proxy		og		BAN
mail		og		BAN
net		og		BAN

ig		net		BAN


#
# Now the normal policies.  We define each set of zone pairs individually
# so that Shorewall produces more meaningful error messages.
#

lan		guest		ACCEPT		info
lan		ig		REJECT		info
lan		proxy		REJECT		info
lan		mail		REJECT		info
lan		og		REJECT		info
lan		net		REJECT		info
lan		other		REJECT		info
lan		all		REJECT		info

guest		lan		REJECT		info
guest		ig		REJECT		info
guest		proxy		REJECT		info
guest		mail		REJECT		info
guest		og		REJECT		info
guest		net		ACCEPT		info
guest		other		REJECT		info
guest		all		REJECT		info

ig		lan		REJECT		info
ig		guest		REJECT		info
ig		proxy		REJECT		info
ig		mail		REJECT		info
ig		og		REJECT		info
ig		net		REJECT		info
ig		other		REJECT		info
ig		all		REJECT		info

proxy		lan		REJECT		info
proxy		guest		REJECT		info
proxy		ig		REJECT		info
proxy		mail		REJECT		info
proxy		og		REJECT		info
proxy		net		ACCEPT
proxy		other		REJECT		info
proxy		all		REJECT		info

mail		lan		REJECT		info
mail		guest		REJECT		info
mail		ig		REJECT		info
mail		proxy		REJECT		info
mail		og		REJECT		info
mail		net		REJECT		info
mail		other		REJECT		info
mail		all		REJECT		info

og		lan		REJECT		info
og		guest		REJECT		info
og		ig		REJECT		info
og		proxy		REJECT		info
og		mail		REJECT		info
og		net		REJECT		info
og		other		REJECT		info
og		all		REJECT		info

net		lan		DROP		info
net		guest		DROP		info
net		ig		DROP		info
net		proxy		DROP		info
net		mail		DROP		info
net		og		DROP		info
net		other		DROP		info
net		all		DROP		info

# Catch-all policies
other		all		DROP		info
all		all		DROP		info

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE