shorewall_code/Samples/three-interfaces/policy

#	
# 	Shorewall 2.2 -- Sample Policy File For Three Interfaces
#
# 	/etc/shorewall/policy
#
#		THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
#	This file determines what to do with a new connection request if we
#	don't get a match from the /etc/shorewall/rules file For each 
#	source/destination pair, the file is processed in order until a 
#	match is found ("all" will match any client or server).
#
# Columns are:
#
#	SOURCE		Source zone. Must be the name of a zone defined
#			in /etc/shorewall/zones, $FW or "all".
#
#	DEST		Destination zone. Must be the name of a zone defined
#			in /etc/shorewall/zones, $FW or "all"
#
#			WARNING: Firewall->Firewall policies are not allowed; if
#			you have a policy where both SOURCE and DEST are $FW,
#			Shorewall will not start!
#
#	POLICY		Policy if no match from the rules file is found. Must
#			be "ACCEPT", "DROP", "REJECT", "CONTINUE" Or "NONE"
#
#			ACCEPT
#				Accept the connection
#			DROP
#				Ignore the connection request.
#			REJECT
#				For TCP, send RST. For all other, send
#				"port unreachable" ICMP.
#			CONTINUE
#				Pass the connection request past
#				any other rules that it might also
#				match (where the source or destination
#				zone in those rules is a superset of
#				the SOURCE or DEST in this policy)
#			NONE
#				Assume that there will never be any
#				packets from this SOURCE to this
#				DEST. Shorewall will not set up any
#				infrastructure to handle such packets
#				and you may not have any rules with
#				this SOURCE and DEST in the /etc/shorewall/rules
#				file. If such a packet is received the result
#				is undefined. NONE may not be used if the 
#				SOURCE or DEST Columns contain the firewall
#				zone ($FW) or "all".
#
#			If This column contains ACCEPT, DROP or REJECT and a
#			corresponding common action is defined in /etc/shorewall/actions
#			(or /usr/share/shorewall/actions.std) then that action will be
#			invoked before the policy named in this column is inforced.
#
#	LOG LEVEL	If supplied, each connection handled under the default
#			POLICY is logged at that level. If not supplied, no
#			log message is generated. See syslog.conf(5) for a
#			description of log levels.
#
#			Beginning with Shorewall version 1.3.12, you may
#			also specify ULOG (must be in upper case). This will
#			log to the ULOG target and sent to a separate log
#			through use of ulogd (http://www.gnumonks.org/projects/ulogd).
#
#			If you don't want to log but need to specify the
#			following column, place "_" here.
#
#	LIMIT:BURST	If passed, specifies the maximum TCP connection rate
#			and the size of an acceptable burst. If not specified,
#			TCP connections are not limited.
#
#	As shipped, the default policies are:
#
#	a)	All connections from the local network  to the Internet are allowed
#	b)	All connections from the Internet are ignored but logged at syslog
#		level KERNEL.INFO.
#	d)	All other connection requests are rejected and logged at level
#		KERNEL.INFO.
###############################################################################
#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
loc		net		ACCEPT
# If you want open access to the Internet from your Firewall 
# remove the comment from the following line.
#fw		net		ACCEPT
# Also If You Wish To Open Up DMZ Access To The Internet 
# remove the comment from the following line.
#dmz		net		ACCEPT
net		all		DROP		info
# THE FOLLOWING POLICY MUST BE LAST
all		all		REJECT		info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE