2006-11-15 18:19:32 +01:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
|
<refentry>
|
|
|
|
|
<refmeta>
|
|
|
|
|
<refentrytitle>shorewall-policy</refentrytitle>
|
|
|
|
|
|
|
|
|
|
<manvolnum>5</manvolnum>
|
|
|
|
|
</refmeta>
|
|
|
|
|
|
|
|
|
|
<refnamediv>
|
|
|
|
|
<refname>policy</refname>
|
|
|
|
|
|
|
|
|
|
<refpurpose>Shorewall policy file</refpurpose>
|
|
|
|
|
</refnamediv>
|
|
|
|
|
|
|
|
|
|
<refsynopsisdiv>
|
|
|
|
|
<cmdsynopsis>
|
|
|
|
|
<command>/etc/shorewall/policy</command>
|
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
</refsynopsisdiv>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>Description</title>
|
|
|
|
|
|
|
|
|
|
<para>This file defines the high-level policy for connections between
|
2007-01-28 19:28:13 +01:00
|
|
|
zones defined in <ulink
|
|
|
|
|
url="shorewall-zones.html">shorewall-zones</ulink>(5).</para>
|
2006-11-15 18:19:32 +01:00
|
|
|
|
|
|
|
|
<important>
|
|
|
|
|
<para>The order of entries in this file is important</para>
|
|
|
|
|
|
|
|
|
|
<para>This file determines what to do with a new connection request if
|
|
|
|
|
we don't get a match from the /etc/shorewall/rules file . For each
|
|
|
|
|
source/destination pair, the file is processed in order until a match is
|
|
|
|
|
found ("all" will match any client or server).</para>
|
|
|
|
|
</important>
|
|
|
|
|
|
|
|
|
|
<important>
|
|
|
|
|
<para>Intra-zone policies are pre-defined</para>
|
|
|
|
|
|
2006-11-20 18:52:52 +01:00
|
|
|
<para>For $FW and for all of the zones defined in /etc/shorewall/zones,
|
2006-11-15 18:19:32 +01:00
|
|
|
the POLICY for connections from the zone to itself is ACCEPT (with no
|
|
|
|
|
logging or TCP connection rate limiting but may be overridden by an
|
|
|
|
|
entry in this file. The overriding entry must be explicit (cannot use
|
|
|
|
|
"all" in the SOURCE or DEST).</para>
|
|
|
|
|
|
|
|
|
|
<para>Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf,
|
|
|
|
|
then the implicit policy to/from any sub-zone is CONTINUE. These
|
|
|
|
|
implicit CONTINUE policies may also be overridden by an explicit entry
|
|
|
|
|
in this file.</para>
|
|
|
|
|
</important>
|
|
|
|
|
|
|
|
|
|
<para>The columns in the file are as follows.</para>
|
|
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
|
<varlistentry>
|
2006-11-23 00:29:21 +01:00
|
|
|
<term><emphasis role="bold">SOURCE</emphasis> —
|
|
|
|
|
<emphasis>zone</emphasis>|<emphasis
|
|
|
|
|
role="bold">$FW</emphasis>|<emphasis role="bold">all</emphasis></term>
|
2006-11-15 18:19:32 +01:00
|
|
|
|
|
|
|
|
<listitem>
|
2007-01-28 19:28:13 +01:00
|
|
|
<para>Source zone. Must be the name of a zone defined in <ulink
|
|
|
|
|
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW or
|
|
|
|
|
"all".</para>
|
2006-11-15 18:19:32 +01:00
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-23 00:29:21 +01:00
|
|
|
<term><emphasis role="bold">DEST</emphasis> —
|
|
|
|
|
<emphasis>zone</emphasis>|<emphasis
|
|
|
|
|
role="bold">$FW</emphasis>|<emphasis role="bold">all</emphasis></term>
|
2006-11-15 18:19:32 +01:00
|
|
|
|
|
|
|
|
<listitem>
|
2007-01-28 19:28:13 +01:00
|
|
|
<para>Destination zone. Must be the name of a zone defined in <ulink
|
2007-06-07 17:12:39 +02:00
|
|
|
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW or "all".
|
|
|
|
|
If the DEST is a bport zone, then the SOURCE must be "all", another
|
|
|
|
|
bport zone associated with the same bridge, or it must be an ipv4
|
|
|
|
|
zone that is associated with only the same bridge.</para>
|
2006-11-15 18:19:32 +01:00
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-23 00:29:21 +01:00
|
|
|
<term><emphasis role="bold">POLICY</emphasis> — {<emphasis
|
|
|
|
|
role="bold">ACCEPT</emphasis>|<emphasis
|
|
|
|
|
role="bold">DROP</emphasis>|<emphasis
|
|
|
|
|
role="bold">REJECT</emphasis>|<emphasis
|
|
|
|
|
role="bold">CONTINUE</emphasis>|<emphasis
|
2007-01-28 19:28:13 +01:00
|
|
|
role="bold">QUEUE</emphasis>|<emphasis
|
2007-12-08 22:55:44 +01:00
|
|
|
role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber</emphasis>)]|<emphasis
|
2006-11-23 00:29:21 +01:00
|
|
|
role="bold">NONE</emphasis>}[<emphasis
|
|
|
|
|
role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>|<emphasis
|
|
|
|
|
role="bold">None</emphasis>}]</term>
|
2006-11-15 18:19:32 +01:00
|
|
|
|
|
|
|
|
<listitem>
|
2007-01-28 19:28:13 +01:00
|
|
|
<para>Policy if no match from the rules file is found.</para>
|
|
|
|
|
|
|
|
|
|
<para>If the policy is other than CONTINUE or NONE then the policy
|
|
|
|
|
may be followed by ":" and one of the following:</para>
|
|
|
|
|
|
|
|
|
|
<orderedlist numeration="loweralpha">
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>The word "None" or "none". This causes any default action
|
|
|
|
|
defined in <ulink
|
|
|
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5) to be
|
|
|
|
|
omitted for this policy.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>The name of an action (requires that USE_ACTIONS=Yes in
|
|
|
|
|
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5)).
|
|
|
|
|
That action will be invoked before the policy is
|
|
|
|
|
enforced.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>The name of a macro. The rules in that macro will be
|
|
|
|
|
applied before the policy is enforced. This does not require
|
|
|
|
|
USE_ACTIONS=Yes.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</orderedlist>
|
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
<programlisting></programlisting>
|
|
|
|
|
|
|
|
|
|
<para>Possible policies are:</para>
|
|
|
|
|
</blockquote>
|
2006-11-15 18:19:32 +01:00
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
|
<varlistentry>
|
2006-11-15 19:15:40 +01:00
|
|
|
<term><emphasis role="bold">ACCEPT</emphasis></term>
|
2006-11-15 18:19:32 +01:00
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Accept the connection.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-15 19:15:40 +01:00
|
|
|
<term><emphasis role="bold">DROP</emphasis></term>
|
2006-11-15 18:19:32 +01:00
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Ignore the connection request.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-15 19:15:40 +01:00
|
|
|
<term><emphasis role="bold">REJECT</emphasis></term>
|
2006-11-15 18:19:32 +01:00
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>For TCP, send RST. For all other, send an "unreachable"
|
|
|
|
|
ICMP.</para>
|
2007-01-28 19:28:13 +01:00
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
2006-11-23 19:13:29 +01:00
|
|
|
|
2007-01-28 19:28:13 +01:00
|
|
|
<varlistentry>
|
|
|
|
|
<term>QUEUE</term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Queue the request for a user-space application such as
|
|
|
|
|
Snort-inline.</para>
|
2006-11-15 18:19:32 +01:00
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2007-08-24 22:40:13 +02:00
|
|
|
<varlistentry>
|
|
|
|
|
<term>NFQUEUE</term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
2007-08-27 23:38:34 +02:00
|
|
|
<para>Added in Shorewall-perl 4.0.3. Queue the request for a
|
|
|
|
|
user-space application using the nfnetlink_queue mechanism. If
|
|
|
|
|
a <replaceable>queuenumber</replaceable> is not given, queue
|
2007-08-24 22:40:13 +02:00
|
|
|
zero (0) is assumed.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2006-11-15 18:19:32 +01:00
|
|
|
<varlistentry>
|
2006-11-15 19:15:40 +01:00
|
|
|
<term><emphasis role="bold">CONTINUE</emphasis></term>
|
2006-11-15 18:19:32 +01:00
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Pass the connection request past any other rules that it
|
|
|
|
|
might also match (where the source or destination zone in
|
|
|
|
|
those rules is a superset of the SOURCE or DEST in this
|
2007-01-18 20:05:17 +01:00
|
|
|
policy). See <ulink
|
|
|
|
|
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for
|
|
|
|
|
additional information.</para>
|
2006-11-15 18:19:32 +01:00
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-15 19:15:40 +01:00
|
|
|
<term><emphasis role="bold">NONE</emphasis></term>
|
2006-11-15 18:19:32 +01:00
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Assume that there will never be any packets from this
|
|
|
|
|
SOURCE to this DEST. Shorewall will not create any
|
|
|
|
|
infrastructure to handle such packets and you may not have any
|
|
|
|
|
rules with this SOURCE and DEST in the /etc/shorewall/rules
|
2006-11-20 18:52:52 +01:00
|
|
|
file. If such a packet <emphasis role="bold">is</emphasis>
|
|
|
|
|
received, the result is undefined. NONE may not be used if the
|
|
|
|
|
SOURCE or DEST columns contain the firewall zone ($FW) or
|
|
|
|
|
"all".</para>
|
2006-11-15 18:19:32 +01:00
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
</variablelist>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-23 00:29:21 +01:00
|
|
|
<term><emphasis role="bold">LOG LEVEL</emphasis> (Optional) —
|
|
|
|
|
[<emphasis>log-level</emphasis>|<emphasis
|
|
|
|
|
role="bold">ULOG</emphasis>]</term>
|
2006-11-15 18:19:32 +01:00
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>If supplied, each connection handled under the default POLICY
|
|
|
|
|
is logged at that level. If not supplied, no log message is
|
|
|
|
|
generated. See syslog.conf(5) for a description of log
|
|
|
|
|
levels.</para>
|
|
|
|
|
|
|
|
|
|
<para>You may also specify ULOG (must be in upper case). This will
|
2006-11-20 18:52:52 +01:00
|
|
|
log to the ULOG target and will send to a separate log through use
|
2007-01-28 19:28:13 +01:00
|
|
|
of ulogd (<ulink
|
|
|
|
|
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
|
2006-11-15 18:19:32 +01:00
|
|
|
|
|
|
|
|
<para>If you don't want to log but need to specify the following
|
2006-11-20 18:52:52 +01:00
|
|
|
column, place "-" here.</para>
|
2006-11-15 18:19:32 +01:00
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-23 00:29:21 +01:00
|
|
|
<term><emphasis role="bold">BURST:LIMIT</emphasis> —
|
|
|
|
|
<emphasis>rate</emphasis><emphasis role="bold">/</emphasis>{<emphasis
|
|
|
|
|
role="bold">second</emphasis>|<emphasis
|
|
|
|
|
role="bold">minute</emphasis>}:<emphasis>burst</emphasis></term>
|
2006-11-15 18:19:32 +01:00
|
|
|
|
|
|
|
|
<listitem>
|
2006-11-23 00:29:21 +01:00
|
|
|
<para>If passed, specifies the maximum TCP connection
|
|
|
|
|
<emphasis>rate</emphasis> and the size of an acceptable
|
|
|
|
|
<emphasis>burst</emphasis>. If not specified, TCP connections are
|
2006-11-20 18:52:52 +01:00
|
|
|
not limited.</para>
|
2006-11-15 18:19:32 +01:00
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
</variablelist>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>Example</title>
|
|
|
|
|
|
|
|
|
|
<orderedlist numeration="loweralpha">
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>All connections from the local network to the internet are
|
|
|
|
|
allowed</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>All connections from the internet are ignored but logged at
|
|
|
|
|
syslog level KERNEL.INFO.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>All other connection requests are rejected and logged at level
|
|
|
|
|
KERNEL.INFO.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</orderedlist>
|
|
|
|
|
|
2007-01-28 19:28:13 +01:00
|
|
|
<programlisting> #SOURCE DEST POLICY LOG BURST:LIMIT
|
|
|
|
|
# LEVEL
|
|
|
|
|
loc net ACCEPT
|
|
|
|
|
net all DROP info
|
|
|
|
|
#
|
|
|
|
|
# THE FOLLOWING POLICY MUST BE LAST
|
|
|
|
|
#
|
|
|
|
|
all all REJECT info</programlisting>
|
2006-11-15 18:19:32 +01:00
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>FILES</title>
|
|
|
|
|
|
|
|
|
|
<para>/etc/shorewall/policy</para>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>See ALSO</title>
|
|
|
|
|
|
|
|
|
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
|
|
|
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
|
|
|
|
|
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
|
|
|
|
|
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
|
|
|
|
|
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
|
|
|
|
|
shorewall-route_routes(5), shorewall-routestopped(5), shorewall-rules(5),
|
|
|
|
|
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
|
|
|
|
|
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
|
|
|
|
|
shorewall-zones(5)</para>
|
|
|
|
|
</refsect1>
|
|
|
|
|
</refentry>
|
