forked from extern/shorewall_code
011345f9b6
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4012 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
156 lines
5.5 KiB
Plaintext
156 lines
5.5 KiB
Plaintext
#
|
|
# Shorewall version 3.2 - Sample Policy File for three-interface configuration.
|
|
# Copyright (C) 2006 by the Shorewall Team
|
|
#
|
|
# This library is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU Lesser General Public
|
|
# License as published by the Free Software Foundation; either
|
|
# version 2.1 of the License, or (at your option) any later version.
|
|
#
|
|
# See the file README.txt for further details.
|
|
#
|
|
#
|
|
# /etc/shorewall/policy
|
|
#
|
|
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
|
|
#
|
|
# This file determines what to do with a new connection request if we
|
|
# don't get a match from the /etc/shorewall/rules file . For each
|
|
# source/destination pair, the file is processed in order until a
|
|
# match is found ("all" will match any client or server).
|
|
#
|
|
# INTRA-ZONE POLICIES ARE PRE-DEFINED
|
|
#
|
|
# For $FW and for all of the zoned defined in /etc/shorewall/zones,
|
|
# the POLICY for connections from the zone to itself is ACCEPT (with no
|
|
# logging or TCP connection rate limiting but may be overridden by an
|
|
# entry in this file. The overriding entry must be explicit (cannot use
|
|
# "all" in the SOURCE or DEST).
|
|
#
|
|
# Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, then
|
|
# the implicit policy to/from any sub-zone is CONTINUE. These implicit
|
|
# CONTINUE policies may also be overridden by an explicit entry in this
|
|
# file.
|
|
#
|
|
# Columns are:
|
|
#
|
|
# SOURCE Source zone. Must be the name of a zone defined
|
|
# in /etc/shorewall/zones, $FW or "all".
|
|
#
|
|
# DEST Destination zone. Must be the name of a zone defined
|
|
# in /etc/shorewall/zones, $FW or "all"
|
|
#
|
|
# POLICY Policy if no match from the rules file is found. Must
|
|
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
|
|
#
|
|
# ACCEPT - Accept the connection
|
|
# DROP - Ignore the connection request
|
|
# REJECT - For TCP, send RST. For all other,
|
|
# send "port unreachable" ICMP.
|
|
# QUEUE - Send the request to a user-space
|
|
# application using the QUEUE target.
|
|
# CONTINUE - Pass the connection request past
|
|
# any other rules that it might also
|
|
# match (where the source or
|
|
# destination zone in those rules is
|
|
# a superset of the SOURCE or DEST
|
|
# in this policy).
|
|
# NONE - Assume that there will never be any
|
|
# packets from this SOURCE
|
|
# to this DEST. Shorewall will not set
|
|
# up any infrastructure to handle such
|
|
# packets and you may not have any
|
|
# rules with this SOURCE and DEST in
|
|
# the /etc/shorewall/rules file. If
|
|
# such a packet _is_ received, the
|
|
# result is undefined. NONE may not be
|
|
# used if the SOURCE or DEST columns
|
|
# contain the firewall zone ($FW) or
|
|
# "all".
|
|
#
|
|
# If this column contains ACCEPT, DROP or REJECT and a
|
|
# corresponding common action is defined in
|
|
# /etc/shorewall/actions (or
|
|
# /usr/share/shorewall/actions.std) then that action
|
|
# will be invoked before the policy named in this column
|
|
# is enforced.
|
|
#
|
|
# LOG LEVEL If supplied, each connection handled under the default
|
|
# POLICY is logged at that level. If not supplied, no
|
|
# log message is generated. See syslog.conf(5) for a
|
|
# description of log levels.
|
|
#
|
|
# Beginning with Shorewall version 1.3.12, you may
|
|
# also specify ULOG (must be in upper case). This will
|
|
# log to the ULOG target and sent to a separate log
|
|
# through use of ulogd
|
|
# (http://www.gnumonks.org/projects/ulogd).
|
|
#
|
|
# If you don't want to log but need to specify the
|
|
# following column, place "-" here.
|
|
#
|
|
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
|
|
# and the size of an acceptable burst. If not specified,
|
|
# TCP connections are not limited.
|
|
#
|
|
# See http://shorewall.net/Documentation.htm#Policy for additional information.
|
|
#
|
|
###############################################################################
|
|
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
|
|
|
#
|
|
# Note about policies and logging:
|
|
# This file contains an explicit policy for every combination of
|
|
# zones defined in this sample. This is solely for the purpose of
|
|
# providing more specific messages in the logs. This is not
|
|
# necessary for correct operation of the firewall, but greatly
|
|
# assists in diagnosing problems.
|
|
#
|
|
|
|
#
|
|
# Policies for traffic originating from the local LAN (loc)
|
|
#
|
|
# If you want to force clients to access the Internet via a proxy server
|
|
# in your DMZ, change the following policy to REJECT info.
|
|
loc net ACCEPT
|
|
# If you want open access to DMZ from loc, change the following policy
|
|
# to ACCEPT. (If you chose not to do this, you will need to add a rule
|
|
# for each service in the rules file.)
|
|
loc dmz REJECT info
|
|
loc $FW REJECT info
|
|
loc all REJECT info
|
|
|
|
#
|
|
# Policies for traffic originating from the firewall ($FW)
|
|
#
|
|
# If you want open access to the Internet from your firewall, change the
|
|
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
|
|
$FW net REJECT info
|
|
$FW dmz REJECT info
|
|
$FW loc REJECT info
|
|
$FW all REJECT info
|
|
|
|
#
|
|
# Policies for traffic originating from the De-Militarized Zone (dmz)
|
|
#
|
|
# If you want open access from DMZ to the Internet change the following
|
|
# policy to ACCEPT. This may be useful if you run a proxy server in
|
|
# your DMZ.
|
|
dmz net REJECT info
|
|
dmz $FW REJECT info
|
|
dmz loc REJECT info
|
|
dmz all REJECT info
|
|
|
|
#
|
|
# Policies for traffic originating from the Internet zone (net)
|
|
#
|
|
net dmz DROP info
|
|
net $FW DROP info
|
|
net loc DROP info
|
|
net all DROP info
|
|
|
|
# THE FOLLOWING POLICY MUST BE LAST
|
|
all all REJECT info
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|