mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-23 16:13:18 +01:00
b66929a65e
1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
100 lines
3.6 KiB
Plaintext
100 lines
3.6 KiB
Plaintext
#
|
|
# Shorewall 2.6 -- Policy File
|
|
#
|
|
# /etc/shorewall/policy
|
|
#
|
|
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
|
|
#
|
|
# This file determines what to do with a new connection request if we
|
|
# don't get a match from the /etc/shorewall/rules file . For each
|
|
# source/destination pair, the file is processed in order until a
|
|
# match is found ("all" will match any client or server).
|
|
#
|
|
# Columns are:
|
|
#
|
|
# SOURCE Source zone. Must be the name of a zone defined
|
|
# in /etc/shorewall/zones, $FW or "all".
|
|
#
|
|
# DEST Destination zone. Must be the name of a zone defined
|
|
# in /etc/shorewall/zones, $FW or "all"
|
|
#
|
|
# POLICY Policy if no match from the rules file is found. Must
|
|
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
|
|
#
|
|
# ACCEPT - Accept the connection
|
|
# DROP - Ignore the connection request
|
|
# REJECT - For TCP, send RST. For all other, send
|
|
# "port unreachable" ICMP.
|
|
# QUEUE - Send the request to a user-space
|
|
# application using the QUEUE target.
|
|
# CONTINUE - Pass the connection request past
|
|
# any other rules that it might also
|
|
# match (where the source or destination
|
|
# zone in those rules is a superset of
|
|
# the SOURCE or DEST in this policy).
|
|
# NONE - Assume that there will never be any
|
|
# packets from this SOURCE
|
|
# to this DEST. Shorewall will not set up
|
|
# any infrastructure to handle such
|
|
# packets and you may not have any rules
|
|
# with this SOURCE and DEST in the
|
|
# /etc/shorewall/rules file. If such a
|
|
# packet _is_ received, the result is
|
|
# undefined. NONE may not be used if the
|
|
# SOURCE or DEST columns contain the
|
|
# firewall zone ($FW) or "all".
|
|
#
|
|
# If this column contains ACCEPT, DROP or REJECT and a
|
|
# corresponding common action is defined in
|
|
# /etc/shorewall/actions (or /usr/share/shorewall/actions.std)
|
|
# then that action will be invoked before the policy named in
|
|
# this column is inforced.
|
|
#
|
|
# The policy determined the default treatment of new
|
|
# connection requests and may optionally be followed by ":"
|
|
# and an ESTABLISHED policy which determines what
|
|
# is to be done with packets that are part of an established
|
|
# connection. The choices are ACCEPT (the default) and QUEUE
|
|
# (to queue the packet to a user-space filter like Snort Inline).
|
|
#
|
|
# LOG LEVEL If supplied, each connection handled under the default
|
|
# POLICY is logged at that level. If not supplied, no
|
|
# log message is generated. See syslog.conf(5) for a
|
|
# description of log levels.
|
|
#
|
|
# Beginning with Shorewall version 1.3.12, you may
|
|
# also specify ULOG (must be in upper case). This will
|
|
# log to the ULOG target and sent to a separate log
|
|
# through use of ulogd
|
|
# (http://www.gnumonks.org/projects/ulogd).
|
|
#
|
|
# If you don't want to log but need to specify the
|
|
# following column, place "-" here.
|
|
#
|
|
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
|
|
# and the size of an acceptable burst. If not specified,
|
|
# TCP connections are not limited.
|
|
#
|
|
# Example:
|
|
#
|
|
# a) All connections from the local network to the internet are allowed
|
|
# b) All connections from the internet are ignored but logged at syslog
|
|
# level KERNEL.INFO.
|
|
# d) All other connection requests are rejected and logged at level
|
|
# KERNEL.INFO.
|
|
#
|
|
# #SOURCE DEST POLICY LOG
|
|
# # LEVEL
|
|
# loc net ACCEPT
|
|
# net all DROP info
|
|
# #
|
|
# # THE FOLLOWING POLICY MUST BE LAST
|
|
# #
|
|
# all all REJECT info
|
|
#
|
|
# See http://shorewall.net/Documentation.htm#Policy for additional information.
|
|
###############################################################################
|
|
#SOURCE DEST POLICY LOG LIMIT:BURST
|
|
# LEVEL
|
|
#LAST LINE -- DO NOT REMOVE
|