#
# Shorewall version 3.0 - Sample Policy File for three-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#
#
# /etc/shorewall/policy
#
#		     THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
#	This file determines what to do with a new connection request if we
#	don't get a match from the /etc/shorewall/rules file . For each
#	source/destination pair, the file is processed in order until a
#	match is found ("all" will match any client or server).
#
#	                INTRA-ZONE POLICIES ARE PRE-DEFINED
#
#	For $FW and for all of the zoned defined in /etc/shorewall/zones,
#	the POLICY for connections from the zone to itself is ACCEPT (with no
#	logging or TCP connection rate limiting but may be overridden by an
#	entry in this file. The overriding entry must be explicit (cannot use
#	"all" in the SOURCE or DEST).
#
# Columns are:
#
#	SOURCE		Source zone. Must be the name of a zone defined
#			in /etc/shorewall/zones, $FW or "all".
#
#	DEST		Destination zone. Must be the name of a zone defined
#			in /etc/shorewall/zones, $FW or "all"
#
#	POLICY		Policy if no match from the rules file is found. Must
#			be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
#
#			ACCEPT		- Accept the connection
#			DROP		- Ignore the connection request
#			REJECT		- For TCP, send RST. For all other,
#					  send "port unreachable" ICMP.
#			QUEUE		- Send the request to a user-space
#					  application using the QUEUE target.
#			CONTINUE	- Pass the connection request past
#					  any other rules that it might also
#					  match (where the source or
#					  destination zone in those rules is
#					  a superset of the SOURCE or DEST
#					  in this policy).
#			NONE		- Assume that there will never be any
#					  packets from this SOURCE
#					  to this DEST. Shorewall will not set
#					  up any infrastructure to handle such
#					  packets and you may not have any
#					  rules with this SOURCE and DEST in
#					  the /etc/shorewall/rules file. If
#					  such a packet _is_ received, the
#					  result is undefined. NONE may not be
#					  used if the SOURCE or DEST columns
#					  contain the firewall zone ($FW) or
#					  "all".
#
#			If this column contains ACCEPT, DROP or REJECT and a
#			corresponding common action is defined in
#			/etc/shorewall/actions (or
#			/usr/share/shorewall/actions.std) then that action
#			will be invoked before the policy named in this column
#			is enforced.
#
#	LOG LEVEL	If supplied, each connection handled under the default
#			POLICY is logged at that level. If not supplied, no
#			log message is generated. See syslog.conf(5) for a
#			description of log levels.
#
#			Beginning with Shorewall version 1.3.12, you may
#			also specify ULOG (must be in upper case). This will
#			log to the ULOG target and sent to a separate log
#			through use of ulogd
#			(http://www.gnumonks.org/projects/ulogd).
#
#			If you don't want to log but need to specify the
#			following column, place "-" here.
#
#	LIMIT:BURST	If passed, specifies the maximum TCP connection rate
#			and the size of an acceptable burst. If not specified,
#			TCP connections are not limited.
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST

#
# Note about policies and logging:
#	This file contains an explicit policy for every combination of
#	zones defined in this sample.  This is solely for the purpose of
#	providing more specific messages in the logs.  This is not
#	necessary for correct operation of the firewall, but greatly
#	assists in diagnosing problems.
#

#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# in your DMZ, change the following policy to REJECT info.
loc		net		ACCEPT
# If you want open access to DMZ from loc, change the following policy
# to ACCEPT.  (If you chose not to do this, you will need to add a rule
# for each service in the rules file.)
loc		dmz		REJECT		info
loc		$FW		REJECT		info
loc		all		REJECT		info

#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
$FW		net		REJECT		info
$FW		dmz		REJECT		info
$FW		loc		REJECT		info
$FW		all		REJECT		info

#
# Policies for traffic originating from the De-Militarized Zone (dmz)
#
# If you want open access from DMZ to the Internet change the following
# policy to ACCEPT.  This may be useful if you run a proxy server in
# your DMZ.
dmz		net		REJECT		info
dmz		$FW		REJECT		info
dmz		loc		REJECT		info
dmz		all		REJECT		info

#
# Policies for traffic originating from the Internet zone (net)
#
net		dmz		DROP		info
net		$FW		DROP		info
net		loc		DROP		info
net		all		DROP		info

# THE FOLLOWING POLICY MUST BE LAST
all		all		REJECT		info

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE