change rule format: use named parameters

[pve-firewall.git] / debian / example / 100.fw

# Example VM firewall configuration

# VM specific firewall options
[OPTIONS]

# disable/enable the whole thing
enable: 1 

# disable/enable MAC address filter
macfilter: 0

# default policy
policy_in: DROP
policy_out: REJECT

# log dropped incoming connection
log_level_in: info

# disable log for outgoing connections
log_level_out: nolog

# enable DHCP
dhcp: 1

# enable ips
ips: 1

# specify nfqueue queues (optionnal)
#ips_queues: 0
ips_queues: 0:3


[RULES]

#TYPE ACTION [OPTIONS]
# -i      <INTERFACE>
# -source <SOURCE>
# -dest   <DEST>
# -p      <PROTOCOL>
# -dport  <DESTINATION_PORT>
# -sport  <SOURCE_PORT>

IN SSH(ACCEPT) -i net0
IN SSH(ACCEPT) -i net0 # a comment
IN SSH(ACCEPT) -i net0 -source 192.168.2.192  # only allow SSH from  192.168.2.192
IN SSH(ACCEPT) -i net0 -source 10.0.0.1-10.0.0.10 #accept SSH for ip in range 10.0.0.1 to 10.0.0.10
IN SSH(ACCEPT) -i net0 -source 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3
IN SSH(ACCEPT) -i net0 -source +mynetgroup   #accept ssh for netgroup mynetgroup
IN SSH(ACCEPT) -i net0 -source myserveralias   #accept ssh for alias myserveralias

|IN SSH(ACCEPT) -i net0 # disabled rule

# add a security group
GROUP group1 -i net0

OUT DNS(ACCEPT) -i net0
OUT Ping(ACCEPT) -i net0
OUT SSH(ACCEPT)