forked from extern/shorewall_code
61b7bf2b9b
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4886 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
237 lines
8.0 KiB
XML
237 lines
8.0 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<refentry>
|
|
<refmeta>
|
|
<refentrytitle>shorewall-policy</refentrytitle>
|
|
|
|
<manvolnum>5</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>policy</refname>
|
|
|
|
<refpurpose>Shorewall policy file</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>/etc/shorewall/policy</command>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>This file defines the high-level policy for connections between
|
|
zones defined in /etc/shorewall/zones.</para>
|
|
|
|
<important>
|
|
<para>The order of entries in this file is important</para>
|
|
|
|
<para>This file determines what to do with a new connection request if
|
|
we don't get a match from the /etc/shorewall/rules file . For each
|
|
source/destination pair, the file is processed in order until a match is
|
|
found ("all" will match any client or server).</para>
|
|
</important>
|
|
|
|
<important>
|
|
<para>Intra-zone policies are pre-defined</para>
|
|
|
|
<para>For $FW and for all of the zoned defined in /etc/shorewall/zones,
|
|
the POLICY for connections from the zone to itself is ACCEPT (with no
|
|
logging or TCP connection rate limiting but may be overridden by an
|
|
entry in this file. The overriding entry must be explicit (cannot use
|
|
"all" in the SOURCE or DEST).</para>
|
|
|
|
<para>Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf,
|
|
then the implicit policy to/from any sub-zone is CONTINUE. These
|
|
implicit CONTINUE policies may also be overridden by an explicit entry
|
|
in this file.</para>
|
|
</important>
|
|
|
|
<para>The columns in the file are as follows.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">SOURCE</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Source zone. Must be the name of a zone defined in
|
|
/etc/shorewall/zones, $FW or "all".</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">DEST</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Destination zone. Must be the name of a zone defined in
|
|
/etc/shorewall/zones, $FW or "all"</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">POLICY</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Policy if no match from the rules file is found. Must be
|
|
"ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ACCEPT</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Accept the connection.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">DROP</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Ignore the connection request.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">REJECT</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>For TCP, send RST. For all other, send an "unreachable"
|
|
ICMP.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">CONTINUE</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Pass the connection request past any other rules that it
|
|
might also match (where the source or destination zone in
|
|
those rules is a superset of the SOURCE or DEST in this
|
|
policy).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">NONE</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Assume that there will never be any packets from this
|
|
SOURCE to this DEST. Shorewall will not create any
|
|
infrastructure to handle such packets and you may not have any
|
|
rules with this SOURCE and DEST in the /etc/shorewall/rules
|
|
file such a packet _is_ received, the result is undefined.
|
|
NONE may not be used if the SOURCE or DEST columns contain the
|
|
firewall zone ($FW) or "all".</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>If the policy is DROP or REJECT then the policy may be
|
|
followed by ":" and one of the following:</para>
|
|
|
|
<orderedlist numeration="loweralpha">
|
|
<listitem>
|
|
<para>The word "None" or "none". This causes any default action
|
|
defined in /etc/shorewall/shorewall.conf to be omitted for this
|
|
policy.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The name of an action (requires that USE_ACTIONS=Yes in
|
|
shorewall.conf). That action will be invoked before the policy
|
|
is enforced.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The name of a macro. The rules in that macro will be
|
|
applied before the policy is enforced. This does not require
|
|
USE_ACTIONS=Yes.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">LOG LEVEL</emphasis> (Optional)</term>
|
|
|
|
<listitem>
|
|
<para>If supplied, each connection handled under the default POLICY
|
|
is logged at that level. If not supplied, no log message is
|
|
generated. See syslog.conf(5) for a description of log
|
|
levels.</para>
|
|
|
|
<para>You may also specify ULOG (must be in upper case). This will
|
|
log to the ULOG target and sent to a separate log through use of
|
|
ulogd (http://www.gnumonks.org/projects/ulogd).</para>
|
|
|
|
<para>If you don't want to log but need to specify the following
|
|
column, place "-" here. </para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">BURST:LIMIT</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>If passed, specifies the maximum TCP connection rate and the
|
|
size of an acceptable burst. If not specified, TCP connections are
|
|
not limited. </para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Example</title>
|
|
|
|
<orderedlist numeration="loweralpha">
|
|
<listitem>
|
|
<para>All connections from the local network to the internet are
|
|
allowed</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>All connections from the internet are ignored but logged at
|
|
syslog level KERNEL.INFO.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>All other connection requests are rejected and logged at level
|
|
KERNEL.INFO.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<programlisting>#SOURCE DEST POLICY LOG BURST:LIMIT
|
|
# LEVEL
|
|
loc net ACCEPT
|
|
net all DROP info
|
|
#
|
|
# THE FOLLOWING POLICY MUST BE LAST
|
|
#
|
|
all all REJECT info</programlisting>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>FILES</title>
|
|
|
|
<para>/etc/shorewall/policy</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See ALSO</title>
|
|
|
|
<para>http://shorewall.net/Documentation.htm#Policy</para>
|
|
|
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
|
|
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
|
|
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
|
|
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
|
|
shorewall-route_routes(5), shorewall-routestopped(5), shorewall-rules(5),
|
|
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
|
|
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
|
|
shorewall-zones(5)</para>
|
|
</refsect1>
|
|
</refentry> |