]>
Commit | Line | Data |
---|---|---|
1 | # Example VM firewall configuration | |
2 | ||
3 | # VM specific firewall options | |
4 | [OPTIONS] | |
5 | ||
6 | # disable/enable the whole thing | |
7 | enable: 1 | |
8 | ||
9 | # disable/enable MAC address filter | |
10 | macfilter: 0 | |
11 | ||
12 | # limit layer2 specific protocols | |
13 | layer2_protocols: ARP,802_1Q,IPX,NetBEUI,PPP | |
14 | ||
15 | # default policy | |
16 | policy_in: DROP | |
17 | policy_out: REJECT | |
18 | ||
19 | # log dropped incoming connection | |
20 | log_level_in: info | |
21 | ||
22 | # disable log for outgoing connections | |
23 | log_level_out: nolog | |
24 | ||
25 | # enable DHCP | |
26 | dhcp: 1 | |
27 | ||
28 | # enable ips | |
29 | ips: 1 | |
30 | ||
31 | # specify nfqueue queues (optionnal) | |
32 | #ips_queues: 0 | |
33 | ips_queues: 0:3 | |
34 | ||
35 | [IPSET ipfilter-net0] # only allow specified IPs on net0 | |
36 | 192.168.2.10 | |
37 | ||
38 | [RULES] | |
39 | ||
40 | #TYPE ACTION [OPTIONS] | |
41 | # -i <INTERFACE> | |
42 | # -source <SOURCE> | |
43 | # -dest <DEST> | |
44 | # -p <PROTOCOL> | |
45 | # -dport <DESTINATION_PORT> | |
46 | # -sport <SOURCE_PORT> | |
47 | ||
48 | IN SSH(ACCEPT) -i net0 | |
49 | IN SSH(ACCEPT) -i net0 # a comment | |
50 | IN SSH(ACCEPT) -i net0 -source 192.168.2.192 # only allow SSH from 192.168.2.192 | |
51 | IN SSH(ACCEPT) -i net0 -source 10.0.0.1-10.0.0.10 #accept SSH for ip in range 10.0.0.1 to 10.0.0.10 | |
52 | IN SSH(ACCEPT) -i net0 -source 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3 | |
53 | IN SSH(ACCEPT) -i net0 -source +mynetgroup #accept ssh for ipset mynetgroup | |
54 | IN SSH(ACCEPT) -i net0 -source myserveralias #accept ssh for alias myserveralias | |
55 | IN SSH(ACCEPT) -i net0 -source FE80:0000:0000:0000:0202:B3FF:FE1E:8329 | |
56 | IN ACCEPT -i net0 -p icmpv6 | |
57 | ||
58 | |IN SSH(ACCEPT) -i net0 # disabled rule | |
59 | ||
60 | # add a security group | |
61 | GROUP group1 -i net0 | |
62 | ||
63 | OUT DNS(ACCEPT) -i net0 | |
64 | OUT Ping(ACCEPT) -i net0 | |
65 | OUT SSH(ACCEPT) | |
66 | ||
67 | ||
68 |