Provided by: shorewall-common_4.0.12-1_all bug

NAME

       policy - Shorewall policy file

SYNOPSIS

       /etc/shorewall/policy

DESCRIPTION

       This  file  defines the high-level policy for connections between zones
       defined in shorewall-zones 〈shorewall-zones.html〉 (5).
              Important

              The order of entries in this file is important

              This file determines what to do with a new connection request if
              we  don’t  get  a match from the /etc/shorewall/rules file . For
              each source/destination pair, the file  is  processed  in  order
              until  a match is found ("all" will match any client or server).
              Important

              Intra-zone policies are pre-defined

              For   $FW   and   for   all   of   the    zones    defined    in
              /etc/shorewall/zones,  the  POLICY for connections from the zone
              to itself is ACCEPT (with no  logging  or  TCP  connection  rate
              limiting  but  may  be  overridden by an entry in this file. The
              overriding entry must be  explicit  (cannot  use  "all"  in  the
              SOURCE or DEST).

              Similarly,  if you have IMPLICIT_CONTINUE=Yes in shorewall.conf,
              then the implicit policy to/from any sub-zone is CONTINUE. These
              implicit CONTINUE policies may also be overridden by an explicit
              entry in this file.

       The columns in the file are as follows.

       SOURCEzone|$FW|all
              Source zone. Must be the name of a zone  defined  in  shorewall-
              zones 〈shorewall-zones.html〉 (5), $FW or "all".

       DESTzone|$FW|all
              Destination  zone.  Must  be  the  name  of  a  zone  defined in
              shorewall-zones 〈shorewall-zones.html〉 (5), $FW  or  "all".   If
              the DEST is a bport zone, then the SOURCE must be "all", another
              bport zone associated with the same bridge, or  it  must  be  an
              ipv4 zone that is associated with only the same bridge.

       POLICY                                                                —
       {ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[/queuenumber]|NONE}[:{default-
       action-or-macro|None}]
              Policy if no match from the rules file is found.

              If the policy is other than CONTINUE or NONE then the policy may
              be followed by ":" and one of the following:

              1.  The word "None" or "none". This causes  any  default  action
                  defined  in  shorewall.conf  〈shorewall.conf.html〉 (5) to be
                  omitted for this policy.

              2.  The name of an  action  (requires  that  USE_ACTIONS=Yes  in
                  shorewall.conf 〈shorewall.conf.html〉 (5)).  That action will
                  be invoked before the policy is enforced.

              3.  The name of a macro. The rules in that macro will be applied
                  before  the  policy  is  enforced.  This  does  not  require
                  USE_ACTIONS=Yes.

              Possible policies are:

              ACCEPT Accept the connection.

              DROP   Ignore the connection request.

              REJECT For TCP, send RST. For all other, send  an  "unreachable"
                     ICMP.

              QUEUE  Queue  the  request  for a user-space application such as
                     Snort-inline.

              NFQUEUE
                     Added in Shorewall-perl 4.0.3. Queue the  request  for  a
                     user-space    application   using   the   nfnetlink_queue
                     mechanism. If a queuenumber is not given, queue zero  (0)
                     is assumed.

              CONTINUE
                     Pass  the connection request past any other rules that it
                     might also match (where the source or destination zone in
                     those  rules  is a superset of the SOURCE or DEST in this
                     policy). See  shorewall-nesting  〈shorewall-nesting.html〉
                     (5) for additional information.

              NONE   Assume  that  there  will  never be any packets from this
                     SOURCE to  this  DEST.  Shorewall  will  not  create  any
                     infrastructure  to  handle  such  packets and you may not
                     have  any  rules  with  this  SOURCE  and  DEST  in   the
                     /etc/shorewall/rules  file. If such a packet is received,
                     the result is undefined. NONE may  not  be  used  if  the
                     SOURCE or DEST columns contain the firewall zone ($FW) or
                     "all".

       LOG LEVEL (Optional) — [log-level|ULOG]
              If supplied, each connection handled under the default POLICY is
              logged  at  that  level.  If  not  supplied,  no  log message is
              generated. See syslog.conf(5) for a description of log levels.

              You may also specify ULOG (must be in upper case). This will log
              to  the  ULOG target and will send to a separate log through use
              of ulogd (〈http://www.netfilter.org/projects/ulogd/index.html〉).

              If  you  don’t  want  to  log  but need to specify the following
              column, place "-" here.

       BURST:LIMITrate/{second|minute}:burst
              If passed, specifies the maximum TCP  connection  rate  and  the
              size  of  an acceptable burst. If not specified, TCP connections
              are not limited.

EXAMPLE

       1.  All connections from the local network to the internet are allowed

       2.  All connections from the internet are ignored but logged at  syslog
           level KERNEL.INFO.

       3.  All  other  connection  requests  are  rejected and logged at level
           KERNEL.INFO.

               #SOURCE         DEST            POLICY          LOG           BURST:LIMIT
               #                                               LEVEL
               loc             net             ACCEPT
               net             all             DROP            info
               #
               # THE FOLLOWING POLICY MUST BE LAST
               #
               all             all             REJECT          info

FILES

       /etc/shorewall/policy

SEE ALSO

       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
       blacklist(5),  shorewall-hosts(5),  shorewall-interfaces(5), shorewall-
       ipsec(5),  shorewall-maclist(5),  shorewall-masq(5),  shorewall-nat(5),
       shorewall-netmap(5),      shorewall-params(5),     shorewall-policy(5),
       shorewall-providers(5),        shorewall-proxyarp(5),        shorewall-
       route_routes(5),     shorewall-routestopped(5),     shorewall-rules(5),
       shorewall.conf(5),   shorewall-tcclasses(5),    shorewall-tcdevices(5),
       shorewall-tcrules(5),      shorewall-tos(5),      shorewall-tunnels(5),
       shorewall-zones(5)

                                 24 June 2008              shorewall-policy(5)