]>
Commit | Line | Data |
---|---|---|
c4a2e5ae DM |
1 | [OPTIONS] |
2 | ||
51e57fee | 3 | # enable firewall (cluster wide setting, default is disabled) |
c4a2e5ae DM |
4 | enable: 1 |
5 | ||
63324b09 DM |
6 | # default policy for host rules |
7 | policy_in: DROP | |
8 | policy_out: ACCEPT | |
9 | ||
92e1209b AD |
10 | [ALIASES] |
11 | ||
12 | myserveralias 10.0.0.111 | |
13 | mynetworkalias 10.0.0.0/24 | |
a2dbb47b AD |
14 | myserveraliasipv6 2001:db8:0:85a3:0:0:ac1f:8001 |
15 | myserveraliasipv6short 2001:db8:0:85a3::ac1f:8001 | |
16 | ||
92e1209b | 17 | |
c4a2e5ae DM |
18 | [RULES] |
19 | ||
dba740a9 | 20 | IN SSH(ACCEPT) -i vmbr0 |
c4a2e5ae | 21 | |
92e976b3 DM |
22 | [group group1] |
23 | ||
dba740a9 DM |
24 | IN ACCEPT -p tcp -dport 22 |
25 | OUT ACCEPT -p tcp -dport 80 | |
26 | OUT ACCEPT -p icmp | |
92e976b3 DM |
27 | |
28 | [group group3] | |
29 | ||
dba740a9 DM |
30 | IN ACCEPT -source 10.0.0.1 |
31 | IN ACCEPT -source 10.0.0.1-10.0.0.10 | |
32 | IN ACCEPT -source 10.0.0.1,10.0.0.2,10.0.0.3 | |
33 | IN ACCEPT -source +mynetgroup | |
34 | IN ACCEPT -source myserveralias | |
a2dbb47b AD |
35 | IN ACCEPT -source myserveraliasipv6 |
36 | IN ACCEPT -source 2001:db8:0:85a3:0:0:ac1f:8001 | |
34cdedfa | 37 | |
936af352 | 38 | [ipset myipset] |
34cdedfa | 39 | |
2a052ee3 AD |
40 | 192.168.0.1 #mycomment |
41 | 172.16.0.10 | |
34cdedfa | 42 | 192.168.0.0/24 |
cbb5d6f3 | 43 | ! 10.0.0.0/8 #nomatch - needs kernel 3.7 or newer |
92e1209b | 44 | mynetworkalias |
a2dbb47b AD |
45 | 2001:db8:0:85a3::ac1f:8001 |
46 | 2001:db8:0:85a3:0:0:ac1f:8002 | |
88733a74 AD |
47 | |
48 | #global ipset blacklist | |
49 | [ipset blacklist] | |
50 | ||
51 | 10.0.0.8 | |
8b41cf53 | 52 | 192.168.0.0/24 |
a2dbb47b | 53 | 2001:db8:0:85a3:0:0:ac1f:8001 |