From ae2529386d2288753946f3598f91d1e95b84b5d9 Mon Sep 17 00:00:00 2001
From: Jessica Frazelle <acidburn@docker.com>
Date: Tue, 28 Jul 2015 04:13:26 -0700
Subject: [PATCH] updates for shorewall configs

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
---
 shorewall/etc/interfaces | 4 ++--
 shorewall/etc/masq       | 3 +--
 shorewall/etc/policy     | 8 +++++---
 shorewall/etc/rules      | 7 ++++---
 4 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/shorewall/etc/interfaces b/shorewall/etc/interfaces
index b9994bf..c491b56 100644
--- a/shorewall/etc/interfaces
+++ b/shorewall/etc/interfaces
@@ -11,5 +11,5 @@
 ###############################################################################
 #ZONE		INTERFACE		OPTIONS
 -           lo              ignore
-dock        docker0
-net         all             dhcp,physical=+,routeback
+dock        docker0         bridge
+net         all             dhcp,physical=+
diff --git a/shorewall/etc/masq b/shorewall/etc/masq
index dc73582..aaafc88 100644
--- a/shorewall/etc/masq
+++ b/shorewall/etc/masq
@@ -9,5 +9,4 @@
 ################################################################################################################
 #INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
 #											GROUP		DEST
-#eth0                172.17.0.0/16
-#wlan0               172.17.42.1/24
+#net               172.17.0.0/16
diff --git a/shorewall/etc/policy b/shorewall/etc/policy
index 861cb97..9d08354 100644
--- a/shorewall/etc/policy
+++ b/shorewall/etc/policy
@@ -7,11 +7,13 @@
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
+#SOURCE	        DEST        POLICY		LOG	LIMIT:		CONNLIMIT:
 #				LEVEL	BURST		MASK
-dock            all         ACCEPT
-# on a server you would obviously want to accept
+dock            net         ACCEPT
+dock            fw          ACCEPT
+
 net             dock        DROP
 net             all         DROP
+
 fw              net         ACCEPT
 fw              dock        ACCEPT
diff --git a/shorewall/etc/rules b/shorewall/etc/rules
index e304808..9b7ca12 100644
--- a/shorewall/etc/rules
+++ b/shorewall/etc/rules
@@ -16,7 +16,8 @@
 ?SECTION UNTRACKED
 ?SECTION NEW
 Invalid(DROP)   net     $FW     tcp
-# on a server you would obiously want to accept here
-SSH(DROP)     net     $FW
+Invalid(DROP)   net     dock    tcp
+Invalid(DROP)   net     dock    udp
+#SSH(ACCEPT)       net     $FW
 # on a server you would obviously want to accept here
-Ping(DROP)    net     $FW
+#Ping(ACCEPT)      net     $FW