2
# Shorewall6 Version 4 - Sample Policy File for three-interface configuration.
3
# Copyright (C) 2006,2008 by the Shorewall Team
5
# This library is free software; you can redistribute it and/or
6
# modify it under the terms of the GNU Lesser General Public
7
# License as published by the Free Software Foundation; either
8
# version 2.1 of the License, or (at your option) any later version.
10
# See the file README.txt for further details.
11
#------------------------------------------------------------------------------
12
# For information about entries in this file, type "man shorewall6-policy"
13
###############################################################################
15
# This file defines the high-level policy for connections between
16
# zones defined in shorewall6-zones(5).
20
# The order of entries in this file is important
22
# This file determines what to do with a new connection request
23
# if we don't get a match from the /etc/shorewall6/rules file .
24
# For each source/destination pair, the file is processed in
25
# order until a match is found ("all" will match any client or
30
# Intra-zone policies are pre-defined
32
# For $FW and for all of the zones defined in
33
# /etc/shorewall6/zones, the POLICY for connections from the zone
34
# to itself is ACCEPT (with no logging or TCP connection rate
35
# limiting but may be overridden by an entry in this file. The
36
# overriding entry must be explicit (cannot use "all" in the
39
# Similarly, if you have IMPLICIT_CONTINUE=Yes in
40
# shorewall6.conf, then the implicit policy to/from any sub-zone
41
# is CONTINUE. These implicit CONTINUE policies may also be
42
# overridden by an explicit entry in this file.
44
# The columns in the file are as follows.
46
# SOURCE - zone|$FW|all
47
# Source zone. Must be the name of a zone defined in
48
# shorewall6-zones(5), $FW or "all".
51
# Destination zone. Must be the name of a zone defined in
52
# shorewall6-zones(5), $FW or "all". If the DEST is a
53
# bport zone, then the SOURCE must be "all", another bport
54
# zone associated with the same bridge, or it must be an
55
# ipv6 zone that is associated with only the same bridge.
58
# {ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber)
59
# ]|NONE}[:{default-action-or-macro|None}]
60
# Policy if no match from the rules file is found.
62
# If the policy is other than CONTINUE or NONE then the
63
# policy may be followed by ":" and one of the following:
65
# a. The word "None" or "none". This causes any default
66
# action defined in shorewall6.conf(5) to be omitted for
68
# b. The name of an action (requires that USE_ACTIONS=Yes
69
# in shorewall6.conf(5)). That action will be invoked
70
# before the policy is enforced.
71
# c. The name of a macro. The rules in that macro will be
72
# applied before the policy is enforced. This does not
73
# require USE_ACTIONS=Yes.
76
# Possible policies are:
79
# Accept the connection.
82
# Ignore the connection request.
85
# For TCP, send RST. For all other, send an
89
# Queue the request for a user-space application
90
# such as Snort-inline.
93
# Queue the request for a user-space application
94
# using the nfnetlink_queue mechanism. If a
95
# queuenumber is not given, queue zero (0) is
99
# Pass the connection request past any other rules
100
# that it might also match (where the source or
101
# destination zone in those rules is a superset of
102
# the SOURCE or DEST in this policy). See
103
# shorewall6-nesting(5) for additional information.
106
# Assume that there will never be any packets from
107
# this SOURCE to this DEST. shorewall6 will not
108
# create any infrastructure to handle such packets
109
# and you may not have any rules with this SOURCE
110
# and DEST in the /etc/shorewall6/rules file. If
111
# such a packet is received, the result is
112
# undefined. NONE may not be used if the SOURCE or
113
# DEST columns contain the firewall zone ($FW) or
116
# LOG LEVEL (Optional) - [log-level|NFLOG]
117
# If supplied, each connection handled under the default
118
# POLICY is logged at that level. If not supplied, no log
119
# message is generated. See syslog.conf(5) for a
120
# description of log levels.
122
# You may also specify NFLOG (must be in upper case). This
123
# will log to the NFLOG target and will send to a separate
124
# log through use of ulogd
125
# (http://www.netfilter.org/projects/ulogd/index.html).
127
# If you don't want to log but need to specify the
128
# following column, place "-" here.
130
# BURST:LIMIT - [{s|d}:[[name]:]]]rate/{second|minute}[:burst]
131
# If passed, specifies the maximum TCP connection rate and
132
# the size of an acceptable burst. If not specified, TCP
133
# connections are not limited. If the burst parameter is
134
# omitted, a value of 5 is assumed.
136
# When s: or d: is specified, the rate applies per source
137
# IP address or per destination IP address respectively.
138
# The name may be chosen by the user and specifies a hash
139
# table to be used to count matching connections. If not
140
# give, the name shorewall is assumed. Where more than one
141
# POLICY specifies the same name, the connections counts
142
# for the policies are aggregated and the individual rates
143
# apply to the aggregated count.
145
# CONNLIMIT - limit[:mask]
146
# May be used to limit the number of simultaneous
147
# connections from each individual host to limit
148
# connections. While the limit is only checked on
149
# connections to which this policy could apply, the number
150
# of current connections is calculated over all current
151
# connections from the SOURCE host. By default, the limit
152
# is applied to each host individually but can be made to
153
# apply to networks of hosts by specifying a mask. The
154
# mask specifies the width of a VLSM mask to be applied to
155
# the source address; the number of current connections is
156
# then taken over all hosts in the subnet
157
# source-address/mask.
161
# a. All connections from the local network to the internet are
163
# b. All connections from the internet are ignored but logged at
164
# syslog level KERNEL.INFO.
165
# c. All other connection requests are rejected and logged at
168
# #SOURCE DEST POLICY LOG BU
174
# # THE FOLLOWING POLICY MUST BE LAST
176
# all all REJECT info
178
###############################################################################
179
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST