shorewall_code/Shorewall2/policy

#
# Shorewall 2.2 -- Policy File
#
# /etc/shorewall/policy
#
#	             THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
#	This file determines what to do with a new connection request if we
#	don't get a match from the /etc/shorewall/rules file . For each
#	source/destination pair, the file is processed in order until a
#	match is found ("all" will match any client or server).
#
# Columns are:
#
#	SOURCE		Source zone. Must be the name of a zone defined
#			in /etc/shorewall/zones, $FW or "all".
#
#	DEST		Destination zone. Must be the name of a zone defined
#			in /etc/shorewall/zones, $FW or "all"
#
#	POLICY		Policy if no match from the rules file is found. Must
#			be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
#
#			ACCEPT		- Accept the connection
#			DROP		- Ignore the connection request
#			REJECT		- For TCP, send RST. For all other, send
#					  "port unreachable" ICMP.
#			CONTINUE	- Pass the connection request past
#					  any other rules that it might also
#					  match (where the source or destination
#					  zone in those rules is a superset of
#					  the SOURCE or DEST in this policy).
#			NONE		- Assume that there will never be any
#					  packets from this SOURCE
#					  to this DEST. Shorewall will not set up
#					  any infrastructure to handle such
#				 	  packets and you may not have any rules
#					  with this SOURCE and DEST in the
#					  /etc/shorewall/rules file. If such a
#					  packet _is_ received, the result is
#					  undefined. NONE may not be used if the 
#					  SOURCE or DEST columns contain the
#					  firewall zone ($FW) or "all".
#
#			If this column contains ACCEPT, DROP or REJECT and a 
#			corresponding common action is defined in
#			/etc/shorewall/actions (or /usr/share/shorewall/actions.std)
#			then that action will be invoked before the policy named in
#			this column is inforced.
#
#	LOG LEVEL	If supplied, each connection handled under the default
#			POLICY is logged at that level. If not supplied, no
#			log message is generated. See syslog.conf(5) for a
#			description of log levels.
#
#			Beginning with Shorewall version 1.3.12, you may
#			also specify ULOG (must be in upper case). This will
#			log to the ULOG target and sent to a separate log
#			through use of ulogd
#			(http://www.gnumonks.org/projects/ulogd).
#
#			If you don't want to log but need to specify the
#			following column, place "-" here.
#
#	LIMIT:BURST	If passed, specifies the maximum TCP connection rate
#			and the size of an acceptable burst. If not specified,
#			TCP connections are not limited.
#
#	Example:
#
#	a) All connections from the local network to the internet are allowed
#	b) All connections from the internet are ignored but logged at syslog
#	   level KERNEL.INFO.
#	d) All other connection requests are rejected and logged at level
#	   KERNEL.INFO.
#
#	#SOURCE		DEST		POLICY		LOG
#	#						LEVEL
#	loc		net		ACCEPT
#	net		all		DROP		info
#	#
#	# THE FOLLOWING POLICY MUST BE LAST
#	#	
#	all		all		REJECT		info 
#
###############################################################################
#SOURCE		DEST		POLICY		LOG		LIMIT:BURST
#						LEVEL
#LAST LINE -- DO NOT REMOVE
Initial revision git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1103 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2004-01-31 17:11:22 +01:00			`#`
Update file headings to reflect version 2.2 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1729 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2004-10-26 17:37:00 +02:00			`# Shorewall 2.2 -- Policy File`
Initial revision git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1103 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2004-01-31 17:11:22 +01:00			`#`
			`# /etc/shorewall/policy`
			`#`
			`# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT`
			`#`
			`# This file determines what to do with a new connection request if we`
clean up policy file git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1173 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2004-02-21 22:11:53 +01:00			`# don't get a match from the /etc/shorewall/rules file . For each`
			`# source/destination pair, the file is processed in order until a`
			`# match is found ("all" will match any client or server).`
Initial revision git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1103 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2004-01-31 17:11:22 +01:00			`#`
			`# Columns are:`
			`#`
			`# SOURCE Source zone. Must be the name of a zone defined`
			`# in /etc/shorewall/zones, $FW or "all".`
			`#`
			`# DEST Destination zone. Must be the name of a zone defined`
			`# in /etc/shorewall/zones, $FW or "all"`
			`#`
			`# POLICY Policy if no match from the rules file is found. Must`
			`# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".`
			`#`
			`# ACCEPT - Accept the connection`
			`# DROP - Ignore the connection request`
			`# REJECT - For TCP, send RST. For all other, send`
			`# "port unreachable" ICMP.`
			`# CONTINUE - Pass the connection request past`
			`# any other rules that it might also`
			`# match (where the source or destination`
			`# zone in those rules is a superset of`
			`# the SOURCE or DEST in this policy).`
			`# NONE - Assume that there will never be any`
			`# packets from this SOURCE`
			`# to this DEST. Shorewall will not set up`
			`# any infrastructure to handle such`
			`# packets and you may not have any rules`
			`# with this SOURCE and DEST in the`
			`# /etc/shorewall/rules file. If such a`
			`# packet _is_ received, the result is`
			`# undefined. NONE may not be used if the`
			`# SOURCE or DEST columns contain the`
			`# firewall zone ($FW) or "all".`
			`#`
clean up policy file git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1173 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2004-02-21 22:11:53 +01:00			`# If this column contains ACCEPT, DROP or REJECT and a`
			`# corresponding common action is defined in`
			`# /etc/shorewall/actions (or /usr/share/shorewall/actions.std)`
			`# then that action will be invoked before the policy named in`
			`# this column is inforced.`
			`#`
Initial revision git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1103 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2004-01-31 17:11:22 +01:00			`# LOG LEVEL If supplied, each connection handled under the default`
			`# POLICY is logged at that level. If not supplied, no`
			`# log message is generated. See syslog.conf(5) for a`
			`# description of log levels.`
			`#`
			`# Beginning with Shorewall version 1.3.12, you may`
			`# also specify ULOG (must be in upper case). This will`
			`# log to the ULOG target and sent to a separate log`
			`# through use of ulogd`
			`# (http://www.gnumonks.org/projects/ulogd).`
			`#`
			`# If you don't want to log but need to specify the`
clean up policy file git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1173 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2004-02-21 22:11:53 +01:00			`# following column, place "-" here.`
Initial revision git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1103 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2004-01-31 17:11:22 +01:00			`#`
			`# LIMIT:BURST If passed, specifies the maximum TCP connection rate`
			`# and the size of an acceptable burst. If not specified,`
			`# TCP connections are not limited.`
			`#`
Add comments to the zones and policy files git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1933 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2005-02-01 21:48:43 +01:00			`# Example:`
Initial revision git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1103 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2004-01-31 17:11:22 +01:00			`#`
			`# a) All connections from the local network to the internet are allowed`
			`# b) All connections from the internet are ignored but logged at syslog`
			`# level KERNEL.INFO.`
			`# d) All other connection requests are rejected and logged at level`
			`# KERNEL.INFO.`
Add comments to the zones and policy files git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1933 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2005-02-01 21:48:43 +01:00			`#`
			`# #SOURCE DEST POLICY LOG`
			`# # LEVEL`
			`# loc net ACCEPT`
			`# net all DROP info`
			`# #`
			`# # THE FOLLOWING POLICY MUST BE LAST`
			`# #`
			`# all all REJECT info`
			`#`
Initial revision git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1103 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2004-01-31 17:11:22 +01:00			`###############################################################################`
			`#SOURCE DEST POLICY LOG LIMIT:BURST`
			`# LEVEL`
			`#LAST LINE -- DO NOT REMOVE`