'\" t .\" Title: shorewall-policy .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 .\" Date: 03/16/2017 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-POLICY" "5" "03/16/2017" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" policy \- Shorewall policy file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall/policy\fR\ 'u \fB/etc/shorewall/policy\fR .SH "DESCRIPTION" .PP This file defines the high\-level policy for connections between zones defined in \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br .PP The order of entries in this file is important .PP This file determines what to do with a new connection request if we don\*(Aqt get a match from the /etc/shorewall/rules file \&. For each source/destination pair, the file is processed in order until a match is found ("all" will match any source or destination)\&. .sp .5v .RE .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br .PP Intra\-zone policies are pre\-defined .PP For $FW and for all of the zones defined in /etc/shorewall/zones, the POLICY for connections from the zone to itself is ACCEPT (with no logging or TCP connection rate limiting) but may be overridden by an entry in this file\&. The overriding entry must be explicit (specifying the zone name in both SOURCE and DEST) or it must use "all+" (Shorewall 4\&.5\&.17 or later)\&. .PP Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall\&.conf, then the implicit policy to/from any sub\-zone is CONTINUE\&. These implicit CONTINUE policies may also be overridden by an explicit entry in this file\&. .sp .5v .RE .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBSOURCE\fR \- \fIzone\fR[,\&.\&.\&.[+]]|\fB$FW\fR|\fBall\fR|\fBall+\fR .RS 4 Source zone\&. Must be the name of a zone defined in \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5), $FW, "all" or "all+"\&. .sp Support for "all+" was added in Shorewall 4\&.5\&.17\&. "all" does not override the implicit intra\-zone ACCEPT policy while "all+" does\&. .sp Beginning with Shorewall 5\&.0\&.12, multiple zones may be listed separated by commas\&. As above, if \*(Aq+\*(Aq is specified after two or more zone names, then the policy overrides the implicit intra\-zone ACCEPT policy if the same \fIzone\fR appears in both the SOURCE and DEST columns\&. .RE .PP \fBDEST\fR \- \fIzone\fR[,\&.\&.\&.[+]]|\fB$FW\fR|\fBall\fR|\fBall+\fR .RS 4 Destination zone\&. Must be the name of a zone defined in \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5), $FW, "all" or "all+"\&. If the DEST is a bport zone, then the SOURCE must be "all", "all+", another bport zone associated with the same bridge, or it must be an ipv4 zone that is associated with only the same bridge\&. .sp Support for "all+" was added in Shorewall 4\&.5\&.17\&. "all" does not override the implicit intra\-zone ACCEPT policy while "all+" does\&. .sp Beginning with Shorewall 5\&.0\&.12, multiple zones may be listed separated by commas\&. As above, if \*(Aq+\*(Aq is specified after two or more zone names, then the policy overrides the implicit intra\-zone ACCEPT policy if the same \fIzone\fR appears in both the SOURCE and DEST columns\&. .RE .PP \fBPOLICY\fR \- {\fBACCEPT\fR|\fBDROP\fR|\fBREJECT\fR|\fBCONTINUE\fR|\fBQUEUE\fR|\fBNFQUEUE\fR[(\fIqueuenumber1\fR[:\fIqueuenumber2\fR])]|\fBNONE\fR}[\fB:\fR{\fIdefault\-action\-or\-macro\fR[:level]|\fBNone\fR}] .RS 4 Policy if no match from the rules file is found\&. .sp If the policy is neither CONTINUE nor NONE then the policy may be followed by ":" and one of the following: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} The word "None" or "none"\&. This causes any default action defined in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5) to be omitted for this policy\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} The name of an action\&. The action will be invoked before the policy is enforced\&. .RE .sp Actions can have parameters specified\&. .sp Beginning with Shorewall 4\&.5\&.10, the action name can be followed optionally by a colon and a log level\&. The level will be applied to each rule in the action or body that does not already have a log level\&. .sp Possible actions are: .PP \fBACCEPT\fR .RS 4 Accept the connection\&. .RE .PP \fBDROP\fR .RS 4 Ignore the connection request\&. .RE .PP \fBREJECT\fR .RS 4 For TCP, send RST\&. For all other, send an "unreachable" ICMP\&. .RE .PP \fBQUEUE\fR .RS 4 Queue the request for a user\-space application such as Snort\-inline\&. .RE .PP \fBNFQUEUE\fR .RS 4 Queue the request for a user\-space application using the nfnetlink_queue mechanism\&. If a \fIqueuenumber1\fR is not given, queue zero (0) is assumed\&. Beginning with Shorewall 4\&.6\&.10, a second queue number (queuenumber2) may be given\&. This specifies a range of queues to use\&. Packets are then balanced across the given queues\&. This is useful for multicore systems: start multiple instances of the userspace program on queues x, x+1, \&.\&. x+n and use "x:x+n"\&. Packets belonging to the same connection are put into the same nfqueue\&. .RE .PP \fBCONTINUE\fR .RS 4 Pass the connection request past any other rules that it might also match (where the source or destination zone in those rules is a superset of the SOURCE or DEST in this policy)\&. See \m[blue]\fBshorewall\-nesting\fR\m[]\&\s-2\u[3]\d\s+2(5) for additional information\&. .RE .PP \fBNONE\fR .RS 4 Assume that there will never be any packets from this SOURCE to this DEST\&. Shorewall will not create any infrastructure to handle such packets and you may not have any rules with this SOURCE and DEST in the /etc/shorewall/rules file\&. If such a packet \fBis\fR received, the result is undefined\&. NONE may not be used if the SOURCE or DEST columns contain the firewall zone ($FW) or "all"\&. .RE .RE .PP \fBLOG LEVEL\fR (loglevel) \- [\fIlog\-level\fR|\fBULOG|NFLOG\fR] .RS 4 Optional \- if supplied, each connection handled under the default POLICY is logged at that level\&. If not supplied, no log message is generated\&. See syslog\&.conf(5) for a description of log levels\&. .sp You may also specify ULOG or NFLOG (must be in upper case)\&. This will log to the ULOG or NFLOG target and will send to a separate log through use of ulogd (\m[blue]\fBhttp://www\&.netfilter\&.org/projects/ulogd/index\&.html\fR\m[])\&. .sp For a description of log levels, see \m[blue]\fBhttp://www\&.shorewall\&.net/shorewall_logging\&.html\fR\m[]\&\s-2\u[4]\d\s+2\&. .sp If you don\*(Aqt want to log but need to specify the following column, place "\-" here\&. .RE .PP \fBBURST:LIMIT\fR (limit) \- [\-|\fIlimit\fR] .RS 4 where limit is one of: .RS 4 [\fB\-\fR|[{\fIs\fR|\fBd\fR}:[[\fIname\fR]:]]]\fIrate\fR\fB/\fR{\fBsec\fR|\fBmin\fR|\fBhour\fR|\fBday\fR}[:\fIburst\fR] .RE .RS 4 [\fIname\fR1]:\fIrate1\fR\fB/\fR{\fBsec\fR|\fBmin\fR|\fBhour\fR|\fBday\fR}[:\fIburst1\fR],[\fIname\fR2]:\fIrate2\fR\fB/\fR{\fBsec\fR|\fBmin\fR|\fBhour\fR|\fBday\fR}[:\fIburst2\fR] .RE If passed, specifies the maximum TCP connection \fIrate\fR and the size of an acceptable \fIburst\fR\&. If not specified, TCP connections are not limited\&. If the \fIburst\fR parameter is omitted, a value of 5 is assumed\&. .sp When \fBs:\fR or \fBd:\fR is specified, the rate applies per source IP address or per destination IP address respectively\&. The \fIname\fR may be chosen by the user and specifies a hash table to be used to count matching connections\&. If not give, the name \fBshorewall\fR is assumed\&. Where more than one POLICY or rule specifies the same name, the connections counts for the policies are aggregated and the individual rates apply to the aggregated count\&. .sp Beginning with Shorewall 4\&.6\&.5, two\fI limit\fRs may be specified, separated by a comma\&. In this case, the first limit (\fIname1\fR, \fIrate1\fR, burst1) specifies the per\-source IP limit and the second limit specifies the per\-destination IP limit\&. .sp Example: \fBclient:10/sec:20,:60/sec:100\fR .RE .PP \fBCONNLIMIT\fR \- \fIlimit\fR[:\fImask\fR] .RS 4 May be used to limit the number of simultaneous connections from each individual host to \fIlimit\fR connections\&. While the limit is only checked on connections to which this policy could apply, the number of current connections is calculated over all current connections from the SOURCE host\&. By default, the limit is applied to each host individually but can be made to apply to networks of hosts by specifying a \fImask\fR\&. The \fImask\fR specifies the width of a VLSM mask to be applied to the source address; the number of current connections is then taken over all hosts in the subnet \fIsource\-address\fR/\fImask\fR\&. .RE .SH "EXAMPLE" .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} All connections from the local network to the internet are allowed .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} All connections from the internet are ignored but logged at syslog level KERNEL\&.INFO\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 3.\h'+01'\c .\} .el \{\ .sp -1 .IP " 3." 4.2 .\} All other connection requests are rejected and logged at level KERNEL\&.INFO\&. .RE .sp .if n \{\ .RS 4 .\} .nf #SOURCE DEST POLICY LOG BURST:LIMIT # LEVEL loc net ACCEPT net all DROP info # # THE FOLLOWING POLICY MUST BE LAST # all all REJECT info .fi .if n \{\ .RE .\} .SH "FILES" .PP /etc/shorewall/policy .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[5]\d\s+2 .PP shorewall(8), shorewall\-accounting(5), shorewall\-actions(5), shorewall\-blacklist(5), shorewall\-hosts(5), shorewall_interfaces(5), shorewall\-ipsets(5), shorewall\-maclist(5), shorewall\-masq(5), shorewall\-nat(5), shorewall\-netmap(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-providers(5), shorewall\-proxyarp(5), shorewall\-rtrules(5), shorewall\-routestopped(5), shorewall\-rules(5), shorewall\&.conf(5), shorewall\-secmarks(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-mangle(5), shorewall\-tos(5), shorewall\-tunnels(5), shorewall\-zones(5) .SH "NOTES" .IP " 1." 4 shorewall-zones .RS 4 \%http://www.shorewall.net/manpages/shorewall-zones.html .RE .IP " 2." 4 shorewall.conf .RS 4 \%http://www.shorewall.net/manpages/shorewall.conf.html .RE .IP " 3." 4 shorewall-nesting .RS 4 \%http://www.shorewall.net/manpages/shorewall-nesting.html .RE .IP " 4." 4 http://www.shorewall.net/shorewall_logging.html .RS 4 \%http://www.shorewall.net/shorewall_logging.html .RE .IP " 5." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.net/configuration_file_basics.htm#Pairs .RE