1shorewall-policy(5) shorewall-policy(5)
2
6 policy - Shorewall policy file
7
9 /etc/shorewall/policy
10
12 This file defines the high-level policy for connections between zones
13 defined in shorewall-zones ⟨shorewall-zones.html⟩ (5).
14 Important
15 The order of entries in this file is important
17 This file determines what to do with a new connection request if
19 we don't get a match from the /etc/shorewall/rules file . For
20 each source/destination pair, the file is processed in order un‐
21 til a match is found ("all" will match any client or server).
22 Important
23 Intra-zone policies are pre-defined
25 For $FW and for all of the zones defined in /etc/shore‐
27 wall/zones, the POLICY for connections from the zone to itself
28 is ACCEPT (with no logging or TCP connection rate limiting but
29 may be overridden by an entry in this file. The overriding entry
30 must be explicit (cannot use "all" in the SOURCE or DEST).
31 Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf,
33 then the implicit policy to/from any sub-zone is CONTINUE. These
34 implicit CONTINUE policies may also be overridden by an explicit
35 entry in this file.
36 The columns in the file are as follows.
38 SOURCE — zone|$FW|all
40 Source zone. Must be the name of a zone defined in shorewall-
41 zones ⟨shorewall-zones.html⟩ (5), $FW or "all".
42 DEST — zone|$FW|all
44 Destination zone. Must be the name of a zone defined in shore‐
45 wall-zones ⟨shorewall-zones.html⟩ (5), $FW or "all". If the
46 DEST is a bport zone, then the SOURCE must be "all", another
47 bport zone associated with the same bridge, or it must be an
48 ipv4 zone that is associated with only the same bridge.
49 POLICY — {ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[/queuenum‐
51 ber]|NONE}[:{default-action-or-macro|None}]
52 Policy if no match from the rules file is found.
53 If the policy is other than CONTINUE or NONE then the policy may
55 be followed by ":" and one of the following:
56 1. The word "None" or "none". This causes any default action
58 defined in shorewall.conf ⟨shorewall.conf.html⟩ (5) to be
59 omitted for this policy.
60 2. The name of an action (requires that USE_ACTIONS=Yes in
62 shorewall.conf ⟨shorewall.conf.html⟩ (5)). That action will
63 be invoked before the policy is enforced.
64 3. The name of a macro. The rules in that macro will be applied
66 before the policy is enforced. This does not require USE_AC‐
67 TIONS=Yes.
68 .fi
69 Possible policies are:
71 ACCEPT Accept the connection.
73 DROP Ignore the connection request.
75 REJECT For TCP, send RST. For all other, send an "unreachable"
77 ICMP.
78 QUEUE Queue the request for a user-space application such as
80 Snort-inline.
81 NFQUEUE
83 Added in Shorewall-perl 4.0.3. Queue the request for a
84 user-space application using the nfnetlink_queue mechanism. If
85 a queuenumber is not given, queue
86 zero (0) is assumed.
87 CONTINUE
89 Pass the connection request past any other rules that it
90 might also match (where the source or destination zone in
91 those rules is a superset of the SOURCE or DEST in this
92 policy). See
93 shorewall-nesting
94 ⟨shorewall-nesting.html⟩
95 (5) for
96 additional information.
97 NONE Assume that there will never be any packets from this
99 SOURCE to this DEST. Shorewall will not create any
100 infrastructure to handle such packets and you may not have any
101 rules with this SOURCE and DEST in the /etc/shorewall/rules
102 file. If such a packet is
103 received, the result is undefined. NONE may not be used if the
104 SOURCE or DEST columns contain the firewall zone ($FW) or
105 "all".
106 LOG LEVEL (Optional) — [log-level|ULOG]
108 If supplied, each connection handled under the default POLICY
109 is logged at that level. If not supplied, no log message is
110 generated. See syslog.conf(5) for a description of log
111 levels.
112 You may also specify ULOG (must be in upper case). This will
114 log to the ULOG target and will send to a separate log through use
115 of ulogd (⟨http://www.netfilter.org/projects/ulogd/index.html⟩).
116 If you don't want to log but need to specify the following
118 column, place "-" here.
119 BURST:LIMIT — rate/{second|minute}:burst
121 If passed, specifies the maximum TCP connection
122 rate and the size of an acceptable
123 burst. If not specified, TCP connections are
124 not limited.
125
127 1. All connections from the local network to the internet are allowed
128 2. All connections from the internet are ignored but logged at syslog
130 level KERNEL.INFO.
131 3. All other connection requests are rejected and logged at level KER‐
133 NEL.INFO.
134 #SOURCE DEST POLICY LOG BURST:LIMIT
136 # LEVEL
137 loc net ACCEPT
138 net all DROP info
139 #
140 # THE FOLLOWING POLICY MUST BE LAST
141 #
142 all all REJECT info
143
145 /etc/shorewall/policy
146
148 shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
149 blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-
150 ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
151 shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shore‐
152 wall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5),
153 shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
154 shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
155 shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
156 19 May 2008 shorewall-policy(5)