]>
Commit | Line | Data |
---|---|---|
ec6b1100 | 1 | # Example VM firewall configuration |
41b6fef1 | 2 | |
7e8b8ae7 AD |
3 | # VM specific firewall options |
4 | [OPTIONS] | |
41b6fef1 DM |
5 | |
6 | # disable/enable the whole thing | |
7 | enable: 1 | |
8 | ||
9 | # disable/enable MAC address filter | |
10 | macfilter: 0 | |
11 | ||
c5e8b008 AD |
12 | # limit layer2 specific protocols |
13 | layer2_protocols: ARP,802_1Q,IPX,NetBEUI,PPP | |
14 | ||
41b6fef1 | 15 | # default policy |
72f63fde DM |
16 | policy_in: DROP |
17 | policy_out: REJECT | |
41b6fef1 | 18 | |
178a63be DM |
19 | # log dropped incoming connection |
20 | log_level_in: info | |
21 | ||
22 | # disable log for outgoing connections | |
23 | log_level_out: nolog | |
24 | ||
41b6fef1 DM |
25 | # enable DHCP |
26 | dhcp: 1 | |
27 | ||
b47ecc88 AD |
28 | # enable ips |
29 | ips: 1 | |
30 | ||
31 | # specify nfqueue queues (optionnal) | |
32 | #ips_queues: 0 | |
33 | ips_queues: 0:3 | |
34 | ||
d5628378 DM |
35 | [IPSET ipfilter-net0] # only allow specified IPs on net0 |
36 | 192.168.2.10 | |
ec6b1100 | 37 | |
92e976b3 | 38 | [RULES] |
ec6b1100 | 39 | |
dba740a9 DM |
40 | #TYPE ACTION [OPTIONS] |
41 | # -i <INTERFACE> | |
42 | # -source <SOURCE> | |
43 | # -dest <DEST> | |
44 | # -p <PROTOCOL> | |
45 | # -dport <DESTINATION_PORT> | |
46 | # -sport <SOURCE_PORT> | |
47 | ||
48 | IN SSH(ACCEPT) -i net0 | |
49 | IN SSH(ACCEPT) -i net0 # a comment | |
50 | IN SSH(ACCEPT) -i net0 -source 192.168.2.192 # only allow SSH from 192.168.2.192 | |
51 | IN SSH(ACCEPT) -i net0 -source 10.0.0.1-10.0.0.10 #accept SSH for ip in range 10.0.0.1 to 10.0.0.10 | |
52 | IN SSH(ACCEPT) -i net0 -source 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3 | |
d5628378 | 53 | IN SSH(ACCEPT) -i net0 -source +mynetgroup #accept ssh for ipset mynetgroup |
dba740a9 | 54 | IN SSH(ACCEPT) -i net0 -source myserveralias #accept ssh for alias myserveralias |
a2dbb47b AD |
55 | IN SSH(ACCEPT) -i net0 -source FE80:0000:0000:0000:0202:B3FF:FE1E:8329 |
56 | IN ACCEPT -i net0 -p icmpv6 | |
dba740a9 DM |
57 | |
58 | |IN SSH(ACCEPT) -i net0 # disabled rule | |
ec6b1100 | 59 | |
92e976b3 | 60 | # add a security group |
dba740a9 | 61 | GROUP group1 -i net0 |
ec6b1100 | 62 | |
dba740a9 DM |
63 | OUT DNS(ACCEPT) -i net0 |
64 | OUT Ping(ACCEPT) -i net0 | |
92e976b3 | 65 | OUT SSH(ACCEPT) |
ec6b1100 DM |
66 | |
67 | ||
68 |