'\" t .\" Title: shorewall6-policy .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 .\" Date: 10/19/2014 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL6\-POLICY" "5" "10/19/2014" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" policy \- shorewall6 policy file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall6/policy\fR\ 'u \fB/etc/shorewall6/policy\fR .SH "DESCRIPTION" .PP This file defines the high\-level policy for connections between zones defined in \m[blue]\fBshorewall6\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br .PP The order of entries in this file is important .PP This file determines what to do with a new connection request if we don\*(Aqt get a match from the /etc/shorewall6/rules file \&. For each source/destination pair, the file is processed in order until a match is found ("all" will match any client or server)\&. .sp .5v .RE .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br .PP Intra\-zone policies are pre\-defined .PP For $FW and for all of the zones defined in /etc/shorewall6/zones, the POLICY for connections from the zone to itself is ACCEPT (with no logging or TCP connection rate limiting but may be overridden by an entry in this file\&. The overriding entry must be explicit (specifying the zone name on both SOURCE and DEST) or it must use "all+ or it must use "all+" (Shorewall 4\&.5\&.17 or later)\&. .PP Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall6\&.conf, then the implicit policy to/from any sub\-zone is CONTINUE\&. These implicit CONTINUE policies may also be overridden by an explicit entry in this file\&. .sp .5v .RE .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBSOURCE\fR \- \fIzone\fR|\fB$FW\fR|\fBall\fR|\fBall+\fR .RS 4 Source zone\&. Must be the name of a zone defined in \m[blue]\fBshorewall6\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5), $FW, "all" or "all+"\&. .sp Support for "all+" was added in Shorewall 4\&.5\&.17\&. "all" does not override the implicit intra\-zone ACCEPT policy while "all+" does\&. .RE .PP \fBDEST\fR \- \fIzone\fR|\fB$FW\fR|\fBall\fR|\fBall+\fR .RS 4 Destination zone\&. Must be the name of a zone defined in \m[blue]\fBshorewall6\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5), $FW, "all" or "all+"\&. If the DEST is a bport zone, then the SOURCE must be "all", "all+", another bport zone associated with the same bridge, or it must be an ipv4 zone that is associated with only the same bridge\&. .sp Support for "all+" was added in Shorewall 4\&.5\&.17\&. "all" does not override the implicit intra\-zone ACCEPT policy while "all+" does\&. .RE .PP \fBPOLICY\fR \- {\fBACCEPT\fR|\fBDROP\fR|\fBREJECT\fR|\fBCONTINUE\fR|\fBQUEUE\fR|\fBNFQUEUE\fR[(\fIqueuenumber\fR)]|\fBNONE\fR}[\fB:\fR{\fIdefault\-action\-or\-macro\fR|\fBNone\fR}] .RS 4 Policy if no match from the rules file is found\&. .sp If the policy is neither CONTINUE nor NONE then the policy may be followed by ":" and one of the following: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} The word "None" or "none"\&. This causes any default action defined in \m[blue]\fBshorewall6\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5) to be omitted for this policy\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} The name of an action\&. The action will be invoked before the policy is enforced\&. .RE .sp Actions can have parameters specified\&. .sp Beginning with Shorewall 4\&.5\&.10, the action name can be followed optionally by a colon and a log level\&. The level will be applied to each rule in the action or body that does not already have a log level\&. .sp Possible actions are: .PP \fBACCEPT\fR .RS 4 Accept the connection\&. .RE .PP \fBDROP\fR .RS 4 Ignore the connection request\&. .RE .PP \fBREJECT\fR .RS 4 For TCP, send RST\&. For all other, send an "unreachable" ICMP\&. .RE .PP \fBQUEUE\fR .RS 4 Queue the request for a user\-space application such as Snort\-inline\&. .RE .PP \fBNFQUEUE\fR .RS 4 Queue the request for a user\-space application using the nfnetlink_queue mechanism\&. If a \fIqueuenumber\fR is not given, queue zero (0) is assumed\&. .RE .PP \fBCONTINUE\fR .RS 4 Pass the connection request past any other rules that it might also match (where the source or destination zone in those rules is a superset of the SOURCE or DEST in this policy)\&. See \m[blue]\fBshorewall6\-nesting\fR\m[]\&\s-2\u[3]\d\s+2(5) for additional information\&. .RE .PP \fBNONE\fR .RS 4 Assume that there will never be any packets from this SOURCE to this DEST\&. shorewall6 will not create any infrastructure to handle such packets and you may not have any rules with this SOURCE and DEST in the /etc/shorewall6/rules file\&. If such a packet \fBis\fR received, the result is undefined\&. NONE may not be used if the SOURCE or DEST columns contain the firewall zone ($FW) or "all"\&. .RE .RE .PP \fBLOG LEVEL\fR (loglevel) \- [\fIlog\-level\fR|\fBNFLOG\fR] .RS 4 Optional \- if supplied, each connection handled under the default POLICY is logged at that level\&. If not supplied, no log message is generated\&. See syslog\&.conf(5) for a description of log levels\&. .sp You may also specify NFLOG (must be in upper case)\&. This will log to the NFLOG target and will send to a separate log through use of ulogd (\m[blue]\fBhttp://www\&.netfilter\&.org/projects/ulogd/index\&.html\fR\m[])\&. .sp For a description of log levels, see \m[blue]\fBhttp://www\&.shorewall\&.net/shorewall_logging\&.html\&.\fR\m[]\&\s-2\u[4]\d\s+2 .sp If you don\*(Aqt want to log but need to specify the following column, place "\-" here\&. .RE .PP \fBBURST:LIMIT\fR (limit) \- [{\fIs\fR|\fBd\fR}:[[\fIname\fR]:]]]\fIrate\fR\fB/\fR{\fBsecond\fR|\fBminute\fR}[:\fIburst\fR] .RS 4 If passed, specifies the maximum TCP connection \fIrate\fR and the size of an acceptable \fIburst\fR\&. If not specified, TCP connections are not limited\&. If the \fIburst\fR parameter is omitted, a value of 5 is assumed\&. .sp When \fBs:\fR or \fBd:\fR is specified, the rate applies per source IP address or per destination IP address respectively\&. The \fIname\fR may be chosen by the user and specifies a hash table to be used to count matching connections\&. If not give, the name \fBshorewall\fR is assumed\&. Where more than one POLICY specifies the same name, the connections counts for the policies are aggregated and the individual rates apply to the aggregated count\&. .RE .PP \fBCONNLIMIT\fR \- \fIlimit\fR[:\fImask\fR] .RS 4 May be used to limit the number of simultaneous connections from each individual host to \fIlimit\fR connections\&. While the limit is only checked on connections to which this policy could apply, the number of current connections is calculated over all current connections from the SOURCE host\&. By default, the limit is applied to each host individually but can be made to apply to networks of hosts by specifying a \fImask\fR\&. The \fImask\fR specifies the width of a VLSM mask to be applied to the source address; the number of current connections is then taken over all hosts in the subnet \fIsource\-address\fR/\fImask\fR\&. .RE .SH "EXAMPLE" .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} All connections from the local network to the internet are allowed .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} All connections from the internet are ignored but logged at syslog level KERNEL\&.INFO\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 3.\h'+01'\c .\} .el \{\ .sp -1 .IP " 3." 4.2 .\} All other connection requests are rejected and logged at level KERNEL\&.INFO\&. .RE .sp .if n \{\ .RS 4 .\} .nf #SOURCE DEST POLICY LOG BURST:LIMIT # LEVEL loc net ACCEPT net all DROP info # # THE FOLLOWING POLICY MUST BE LAST # all all REJECT info .fi .if n \{\ .RE .\} .SH "FILES" .PP /etc/shorewall6/policy .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[5]\d\s+2 .PP shorewall6(8), shorewall6\-accounting(5), shorewall6\-actions(5), shorewall6\-blacklist(5), shorewall6\-hosts(5), shorewall6\-interfaces(5), shorewall6\-ipsec(5), shorewall6\-maclist(5), shorewall6\-masq(5), shorewall6\-nat(5), shorewall6\-netmap(5), shorewall6\-netmap(5),shorewall6\-params(5), shorewall6\-policy(5), shorewall6\-providers(5), shorewall6\-proxyarp(5), shorewall6\-rtrules(5), shorewall6\-routestopped(5), shorewall6\-rules(5), shorewall6\&.conf(5), shorewall6\-secmarks(5), shorewall6\-tcclasses(5), shorewall6\-tcdevices(5), shorewall6\-mangle(5), shorewall6\-tos(5), shorewall6\-tunnels(5), shorewall6\-zones(5) .SH "NOTES" .IP " 1." 4 shorewall6-zones .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-zones.html .RE .IP " 2." 4 shorewall6.conf .RS 4 \%http://www.shorewall.net/manpages6/shorewall6.conf.html .RE .IP " 3." 4 shorewall6-nesting .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-nesting.html .RE .IP " 4." 4 http://www.shorewall.net/shorewall_logging.html. .RS 4 \%http://www.shorewall.net/shorewall_logging.html. .RE .IP " 5." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.net/configuration_file_basics.htm#Pairs .RE