forked from extern/shorewall_code
6269a6f18a
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6912 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
83 lines
2.7 KiB
Plaintext
83 lines
2.7 KiB
Plaintext
#
|
|
# Shorewall version 3.4 - Sample Policy File for three-interface configuration.
|
|
# Copyright (C) 2006 by the Shorewall Team
|
|
#
|
|
# This library is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU Lesser General Public
|
|
# License as published by the Free Software Foundation; either
|
|
# version 2.1 of the License, or (at your option) any later version.
|
|
#
|
|
# See the file README.txt for further details.
|
|
#------------------------------------------------------------------------------
|
|
# For information about entries in this file, type "man shorewall-policy"
|
|
#
|
|
# See http://shorewall.net/Documentation.htm#Policy for additional information.
|
|
#
|
|
###############################################################################
|
|
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
|
|
|
#
|
|
# Note about policies and logging:
|
|
# This file contains an explicit policy for every combination of
|
|
# zones defined in this sample. This is solely for the purpose of
|
|
# providing more specific messages in the logs. This is not
|
|
# necessary for correct operation of the firewall, but greatly
|
|
# assists in diagnosing problems. The policies below are logically
|
|
# equivalent to:
|
|
#
|
|
# loc net ACCEPT
|
|
# net all DROP info
|
|
# all all REJECT info
|
|
#
|
|
# The Shorewall-perl compiler will generate the individual policies
|
|
# below from the above general policies if you set
|
|
# EXPAND_POLICIES=Yes in shorewall.conf.
|
|
#
|
|
|
|
#
|
|
# Policies for traffic originating from the local LAN (loc)
|
|
#
|
|
# If you want to force clients to access the Internet via a proxy server
|
|
# in your DMZ, change the following policy to REJECT info.
|
|
loc net ACCEPT
|
|
# If you want open access to DMZ from loc, change the following policy
|
|
# to ACCEPT. (If you chose not to do this, you will need to add a rule
|
|
# for each service in the rules file.)
|
|
loc dmz REJECT info
|
|
loc $FW REJECT info
|
|
loc all REJECT info
|
|
|
|
#
|
|
# Policies for traffic originating from the firewall ($FW)
|
|
#
|
|
# If you want open access to the Internet from your firewall, change the
|
|
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
|
|
$FW net REJECT info
|
|
$FW dmz REJECT info
|
|
$FW loc REJECT info
|
|
$FW all REJECT info
|
|
|
|
#
|
|
# Policies for traffic originating from the De-Militarized Zone (dmz)
|
|
#
|
|
# If you want open access from DMZ to the Internet change the following
|
|
# policy to ACCEPT. This may be useful if you run a proxy server in
|
|
# your DMZ.
|
|
dmz net REJECT info
|
|
dmz $FW REJECT info
|
|
dmz loc REJECT info
|
|
dmz all REJECT info
|
|
|
|
#
|
|
# Policies for traffic originating from the Internet zone (net)
|
|
#
|
|
net dmz DROP info
|
|
net $FW DROP info
|
|
net loc DROP info
|
|
net all DROP info
|
|
|
|
# THE FOLLOWING POLICY MUST BE LAST
|
|
all all REJECT info
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|