[pve-firewall.git] / debian / example / 100.fw

# Example VM firewall configuration

# VM specific firewall options
[OPTIONS]

# disable/enable the whole thing
enable: 1 

# disable/enable MAC address filter
macfilter: 0

# limit layer2 specific protocols
layer2_protocols: ARP,802_1Q,IPX,NetBEUI,PPP

# default policy
policy_in: DROP
policy_out: REJECT

# log dropped incoming connection
log_level_in: info

# disable log for outgoing connections
log_level_out: nolog

# enable DHCP
dhcp: 1

# enable ips
ips: 1

# specify nfqueue queues (optionnal)
#ips_queues: 0
ips_queues: 0:3

[IPSET ipfilter-net0] # only allow specified IPs on net0
192.168.2.10

[RULES]

#TYPE ACTION [OPTIONS]
# -i      <INTERFACE>
# -source <SOURCE>
# -dest   <DEST>
# -p      <PROTOCOL>
# -dport  <DESTINATION_PORT>
# -sport  <SOURCE_PORT>

IN SSH(ACCEPT) -i net0
IN SSH(ACCEPT) -i net0 # a comment
IN SSH(ACCEPT) -i net0 -source 192.168.2.192  # only allow SSH from  192.168.2.192
IN SSH(ACCEPT) -i net0 -source 10.0.0.1-10.0.0.10 #accept SSH for ip in range 10.0.0.1 to 10.0.0.10
IN SSH(ACCEPT) -i net0 -source 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3
IN SSH(ACCEPT) -i net0 -source +mynetgroup   #accept ssh for ipset mynetgroup
IN SSH(ACCEPT) -i net0 -source myserveralias   #accept ssh for alias myserveralias
IN SSH(ACCEPT) -i net0 -source FE80:0000:0000:0000:0202:B3FF:FE1E:8329
IN ACCEPT -i net0 -p icmpv6

|IN SSH(ACCEPT) -i net0 # disabled rule

# add a security group
GROUP group1 -i net0

OUT DNS(ACCEPT) -i net0
OUT Ping(ACCEPT) -i net0
OUT SSH(ACCEPT)
Commit	Line	Data
ec6b1100	1	# Example VM firewall configuration
41b6fef1	2
7e8b8ae7 AD	3	# VM specific firewall options
7e8b8ae7 AD	4	[OPTIONS]
41b6fef1 DM	5
	6	# disable/enable the whole thing
	7	enable: 1
	8
	9	# disable/enable MAC address filter
	10	macfilter: 0
	11
c5e8b008 AD	12	# limit layer2 specific protocols
	13	layer2_protocols: ARP,802_1Q,IPX,NetBEUI,PPP
	14
41b6fef1	15	# default policy
72f63fde DM	16	policy_in: DROP
72f63fde DM	17	policy_out: REJECT
41b6fef1	18
178a63be DM	19	# log dropped incoming connection
	20	log_level_in: info
	21
	22	# disable log for outgoing connections
	23	log_level_out: nolog
	24
41b6fef1 DM	25	# enable DHCP
	26	dhcp: 1
	27
b47ecc88 AD	28	# enable ips
	29	ips: 1
	30
	31	# specify nfqueue queues (optionnal)
	32	#ips_queues: 0
	33	ips_queues: 0:3
	34
d5628378 DM	35	[IPSET ipfilter-net0] # only allow specified IPs on net0
d5628378 DM	36	192.168.2.10
ec6b1100	37
92e976b3	38	[RULES]
ec6b1100	39
dba740a9 DM	40	#TYPE ACTION [OPTIONS]
	41	# -i <INTERFACE>
	42	# -source <SOURCE>
	43	# -dest <DEST>
	44	# -p <PROTOCOL>
	45	# -dport <DESTINATION_PORT>
	46	# -sport <SOURCE_PORT>
	47
	48	IN SSH(ACCEPT) -i net0
	49	IN SSH(ACCEPT) -i net0 # a comment
	50	IN SSH(ACCEPT) -i net0 -source 192.168.2.192 # only allow SSH from 192.168.2.192
	51	IN SSH(ACCEPT) -i net0 -source 10.0.0.1-10.0.0.10 #accept SSH for ip in range 10.0.0.1 to 10.0.0.10
	52	IN SSH(ACCEPT) -i net0 -source 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3
d5628378	53	IN SSH(ACCEPT) -i net0 -source +mynetgroup #accept ssh for ipset mynetgroup
dba740a9	54	IN SSH(ACCEPT) -i net0 -source myserveralias #accept ssh for alias myserveralias
a2dbb47b AD	55	IN SSH(ACCEPT) -i net0 -source FE80:0000:0000:0000:0202:B3FF:FE1E:8329
a2dbb47b AD	56	IN ACCEPT -i net0 -p icmpv6
dba740a9 DM	57
dba740a9 DM	58	\|IN SSH(ACCEPT) -i net0 # disabled rule
ec6b1100	59
92e976b3	60	# add a security group
dba740a9	61	GROUP group1 -i net0
ec6b1100	62
dba740a9 DM	63	OUT DNS(ACCEPT) -i net0
dba740a9 DM	64	OUT Ping(ACCEPT) -i net0
92e976b3	65	OUT SSH(ACCEPT)
ec6b1100 DM	66
	67
	68