1shorewall-policy(5)                                        shorewall-policy(5)
2
3
4

NAME

6       policy - Shorewall policy file
7

SYNOPSIS

9       /etc/shorewall/policy
10

DESCRIPTION

12       This  file  defines the high-level policy for connections between zones
13       defined in shorewall-zones ⟨shorewall-zones.html⟩ (5).
14              Important
15
16              The order of entries in this file is important
17
18              This file determines what to do with a new connection request if
19              we  don't  get  a match from the /etc/shorewall/rules file . For
20              each source/destination pair, the file is processed in order un‐
21              til a match is found ("all" will match any client or server).
22              Important
23
24              Intra-zone policies are pre-defined
25
26              For  $FW  and  for  all  of  the  zones  defined  in /etc/shore‐
27              wall/zones, the POLICY for connections from the zone  to  itself
28              is  ACCEPT  (with no logging or TCP connection rate limiting but
29              may be overridden by an entry in this file. The overriding entry
30              must be explicit (cannot use "all" in the SOURCE or DEST).
31
32              Similarly,  if you have IMPLICIT_CONTINUE=Yes in shorewall.conf,
33              then the implicit policy to/from any sub-zone is CONTINUE. These
34              implicit CONTINUE policies may also be overridden by an explicit
35              entry in this file.
36
37       The columns in the file are as follows.
38
39       SOURCE zone|$FW|all
40              Source zone. Must be the name of a zone defined in shorewall-
41              zones ⟨shorewall-zones.html⟩ (5), $FW or "all".
42
43       DEST zone|$FW|all
44              Destination zone. Must be the name of a zone defined in shore‐
45              wall-zones ⟨shorewall-zones.html⟩ (5), $FW  or  "all".   If  the
46              DEST  is  a  bport  zone, then the SOURCE must be "all", another
47              bport zone associated with the same bridge, or  it  must  be  an
48              ipv4 zone that is associated with only the same bridge.
49
50       POLICY      —     {ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[/queuenum‐
51       ber]|NONE}[:{default-action-or-macro|None}]
52              Policy if no match from the rules file is found.
53
54              If the policy is other than CONTINUE or NONE then the policy may
55              be followed by ":" and one of the following:
56
57              1.  The  word  "None"  or "none". This causes any default action
58                  defined in shorewall.conf ⟨shorewall.conf.html⟩  (5)  to  be
59                  omitted for this policy.
60
61              2.  The name of an action (requires that USE_ACTIONS=Yes in
62                  shorewall.conf ⟨shorewall.conf.html⟩ (5)).  That action will
63                  be invoked before the policy is enforced.
64
65              3.  The name of a macro. The rules in that macro will be applied
66                  before the policy is enforced. This does not require USE_AC‐
67                  TIONS=Yes.
68              .fi
69
70              Possible policies are:
71
72              ACCEPT Accept the connection.
73
74              DROP   Ignore the connection request.
75
76              REJECT For TCP, send RST. For all other, send an "unreachable"
77                     ICMP.
78
79              QUEUE  Queue the request for a user-space application such as
80                     Snort-inline.
81
82              NFQUEUE
83                     Added in Shorewall-perl 4.0.3. Queue the request for a
84                     user-space application using the nfnetlink_queue mechanism. If
85                     a queuenumber is not given, queue
86                     zero (0) is assumed.
87
88              CONTINUE
89                     Pass the connection request past any other rules that it
90                     might also match (where the source or destination zone in
91                     those rules is a superset of the SOURCE or DEST in this
92                     policy). See
93                     shorewall-nesting
94                     ⟨shorewall-nesting.html⟩
95                     (5) for
96                     additional information.
97
98              NONE   Assume that there will never be any packets from this
99                     SOURCE to this DEST. Shorewall will not create any
100                     infrastructure to handle such packets and you may not have any
101                     rules with this SOURCE and DEST in the /etc/shorewall/rules
102                     file. If such a packet is
103                     received, the result is undefined. NONE may not be used if the
104                     SOURCE or DEST columns contain the firewall zone ($FW) or
105                     "all".
106
107       LOG LEVEL (Optional) — [log-level|ULOG]
108              If supplied, each connection handled under the default POLICY
109              is logged at that level. If not supplied, no log message is
110              generated. See syslog.conf(5) for a description of log
111              levels.
112
113              You may also specify ULOG (must be in upper case). This will
114              log to the ULOG target and will send to a separate log through use
115              of ulogd (⟨http://www.netfilter.org/projects/ulogd/index.html⟩).
116
117              If you don't want to log but need to specify the following
118              column, place "-" here.
119
120       BURST:LIMIT rate/{second|minute}:burst
121              If passed, specifies the maximum TCP connection
122              rate and the size of an acceptable
123              burst. If not specified, TCP connections are
124              not limited.
125

EXAMPLE

127       1.  All connections from the local network to the internet are allowed
128
129       2.  All  connections from the internet are ignored but logged at syslog
130           level KERNEL.INFO.
131
132       3.  All other connection requests are rejected and logged at level KER‐
133           NEL.INFO.
134
135               #SOURCE         DEST            POLICY          LOG           BURST:LIMIT
136               #                                               LEVEL
137               loc             net             ACCEPT
138               net             all             DROP            info
139               #
140               # THE FOLLOWING POLICY MUST BE LAST
141               #
142               all             all             REJECT          info
143

FILES

145       /etc/shorewall/policy
146

SEE ALSO

148       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
149       blacklist(5), shorewall-hosts(5),  shorewall-interfaces(5),  shorewall-
150       ipsec(5),  shorewall-maclist(5),  shorewall-masq(5),  shorewall-nat(5),
151       shorewall-netmap(5), shorewall-params(5),  shorewall-policy(5),  shore‐
152       wall-providers(5),   shorewall-proxyarp(5),  shorewall-route_routes(5),
153       shorewall-routestopped(5),    shorewall-rules(5),    shorewall.conf(5),
154       shorewall-tcclasses(5),  shorewall-tcdevices(5),  shorewall-tcrules(5),
155       shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
156
157
158
159                                  19 May 2008              shorewall-policy(5)
Impressum