# # Shorewall 2.2 -- Sample Policy File For Three Interfaces # # /etc/shorewall/policy # # THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT # # This file determines what to do with a new connection request if we # don't get a match from the /etc/shorewall/rules file For each # source/destination pair, the file is processed in order until a # match is found ("all" will match any client or server). # # Columns are: # # SOURCE Source zone. Must be the name of a zone defined # in /etc/shorewall/zones, $FW or "all". # # DEST Destination zone. Must be the name of a zone defined # in /etc/shorewall/zones, $FW or "all" # # WARNING: Firewall->Firewall policies are not allowed; if # you have a policy where both SOURCE and DEST are $FW, # Shorewall will not start! # # POLICY Policy if no match from the rules file is found. Must # be "ACCEPT", "DROP", "REJECT", "CONTINUE" Or "NONE" # # ACCEPT # Accept the connection # DROP # Ignore the connection request. # REJECT # For TCP, send RST. For all other, send # "port unreachable" ICMP. # CONTINUE # Pass the connection request past # any other rules that it might also # match (where the source or destination # zone in those rules is a superset of # the SOURCE or DEST in this policy) # NONE # Assume that there will never be any # packets from this SOURCE to this # DEST. Shorewall will not set up any # infrastructure to handle such packets # and you may not have any rules with # this SOURCE and DEST in the /etc/shorewall/rules # file. If such a packet is received the result # is undefined. NONE may not be used if the # SOURCE or DEST Columns contain the firewall # zone ($FW) or "all". # # If This column contains ACCEPT, DROP or REJECT and a # corresponding common action is defined in /etc/shorewall/actions # (or /usr/share/shorewall/actions.std) then that action will be # invoked before the policy named in this column is inforced. # # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no # log message is generated. See syslog.conf(5) for a # description of log levels. # # Beginning with Shorewall version 1.3.12, you may # also specify ULOG (must be in upper case). This will # log to the ULOG target and sent to a separate log # through use of ulogd (http://www.gnumonks.org/projects/ulogd). # # If you don't want to log but need to specify the # following column, place "_" here. # # LIMIT:BURST If passed, specifies the maximum TCP connection rate # and the size of an acceptable burst. If not specified, # TCP connections are not limited. # # As shipped, the default policies are: # # a) All connections from the local network to the Internet are allowed # b) All connections from the Internet are ignored but logged at syslog # level KERNEL.INFO. # d) All other connection requests are rejected and logged at level # KERNEL.INFO. ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT # If you want open access to the Internet from your Firewall # remove the comment from the following line. #$FW net ACCEPT # Also If You Wish To Open Up DMZ Access To The Internet # remove the comment from the following line. #dmz net ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE