]>
Commit | Line | Data |
---|---|---|
ec6b1100 | 1 | # Example VM firewall configuration |
41b6fef1 | 2 | |
7e8b8ae7 AD |
3 | # VM specific firewall options |
4 | [OPTIONS] | |
41b6fef1 DM |
5 | |
6 | # disable/enable the whole thing | |
7 | enable: 1 | |
8 | ||
9 | # disable/enable MAC address filter | |
10 | macfilter: 0 | |
11 | ||
12 | # default policy | |
72f63fde DM |
13 | policy_in: DROP |
14 | policy_out: REJECT | |
41b6fef1 | 15 | |
178a63be DM |
16 | # log dropped incoming connection |
17 | log_level_in: info | |
18 | ||
19 | # disable log for outgoing connections | |
20 | log_level_out: nolog | |
21 | ||
41b6fef1 DM |
22 | # enable DHCP |
23 | dhcp: 1 | |
24 | ||
b47ecc88 AD |
25 | # enable ips |
26 | ips: 1 | |
27 | ||
28 | # specify nfqueue queues (optionnal) | |
29 | #ips_queues: 0 | |
30 | ips_queues: 0:3 | |
31 | ||
ec6b1100 | 32 | |
92e976b3 | 33 | [RULES] |
ec6b1100 | 34 | |
dba740a9 DM |
35 | #TYPE ACTION [OPTIONS] |
36 | # -i <INTERFACE> | |
37 | # -source <SOURCE> | |
38 | # -dest <DEST> | |
39 | # -p <PROTOCOL> | |
40 | # -dport <DESTINATION_PORT> | |
41 | # -sport <SOURCE_PORT> | |
42 | ||
43 | IN SSH(ACCEPT) -i net0 | |
44 | IN SSH(ACCEPT) -i net0 # a comment | |
45 | IN SSH(ACCEPT) -i net0 -source 192.168.2.192 # only allow SSH from 192.168.2.192 | |
46 | IN SSH(ACCEPT) -i net0 -source 10.0.0.1-10.0.0.10 #accept SSH for ip in range 10.0.0.1 to 10.0.0.10 | |
47 | IN SSH(ACCEPT) -i net0 -source 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3 | |
48 | IN SSH(ACCEPT) -i net0 -source +mynetgroup #accept ssh for netgroup mynetgroup | |
49 | IN SSH(ACCEPT) -i net0 -source myserveralias #accept ssh for alias myserveralias | |
50 | ||
51 | |IN SSH(ACCEPT) -i net0 # disabled rule | |
ec6b1100 | 52 | |
92e976b3 | 53 | # add a security group |
dba740a9 | 54 | GROUP group1 -i net0 |
ec6b1100 | 55 | |
dba740a9 DM |
56 | OUT DNS(ACCEPT) -i net0 |
57 | OUT Ping(ACCEPT) -i net0 | |
92e976b3 | 58 | OUT SSH(ACCEPT) |
ec6b1100 DM |
59 | |
60 | ||
61 |