policy

sharewall is very good

#
# Shorewall version 3.4 - Sample Policy File for three-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-policy"
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST

#
# Note about policies and logging:
#	This file contains an explicit policy for every combination of
#	zones defined in this sample.  This is solely for the purpose of
#	providing more specific messages in the logs.  This is not
#	necessary for correct operation of the firewall, but greatly
#	assists in diagnosing problems. The policies below are logically
#	equivalent to:
#
#	loc	net		ACCEPT
#	net	all		DROP		info
#	all	all		REJECT		info
#
#	The Shorewall-perl compiler will generate the individual policies
#	below from the above general policies if you set 
#	EXPAND_POLICIES=Yes in shorewall.conf. 
#

#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# in your DMZ, change the following policy to REJECT info.
loc		net		ACCEPT
# If you want open access to DMZ from loc, change the following policy
# to ACCEPT.  (If you chose not to do this, you will need to add a rule
# for each service in the rules file.)
loc		dmz		REJECT		info
loc		$FW		REJECT		info
loc		all		REJECT		info

#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
$FW		net		REJECT		info
$FW		dmz		REJECT		info
$FW		loc		REJECT		info
$FW		all		REJECT		info

#
# Policies for traffic originating from the De-Militarized Zone (dmz)
#
# If you want open access from DMZ to the Internet change the following
# policy to ACCEPT.  This may be useful if you run a proxy server in
# your DMZ.
dmz		net		REJECT		info
dmz		$FW		REJECT		info
dmz		loc		REJECT		info
dmz		all		REJECT		info

#
# Policies for traffic originating from the Internet zone (net)
#
net		dmz		DROP		info
net		$FW		DROP		info
net		loc		DROP		info
net		all		DROP		info

# THE FOLLOWING POLICY MUST BE LAST
all		all		REJECT		info

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE