[pve-firewall.git] / debian / example / cluster.fw

[OPTIONS]

# enable firewall (cluster wide setting, default is disabled) 
enable: 1

# default policy for host rules
policy_in: DROP
policy_out: ACCEPT

[ALIASES]

myserveralias 10.0.0.111
mynetworkalias 10.0.0.0/24

[RULES]

IN  SSH(ACCEPT) -i vmbr0

[group group1]

IN  ACCEPT -p tcp -dport 22
OUT ACCEPT -p tcp -dport 80
OUT ACCEPT -p icmp

[group group3]

IN  ACCEPT -source 10.0.0.1 
IN  ACCEPT -source 10.0.0.1-10.0.0.10
IN  ACCEPT -source 10.0.0.1,10.0.0.2,10.0.0.3
IN  ACCEPT -source +mynetgroup 
IN  ACCEPT -source myserveralias


[ipset myipset]

192.168.0.1 #mycomment
172.16.0.10
192.168.0.0/24
! 10.0.0.0/8  #nomatch - needs kernel 3.7 or newer
mynetworkalias

#global ipset blacklist
[ipset blacklist]

10.0.0.8
192.168.0.0/24
Commit	Line	Data
c4a2e5ae DM	1	[OPTIONS]
c4a2e5ae DM	2
51e57fee	3	# enable firewall (cluster wide setting, default is disabled)
c4a2e5ae DM	4	enable: 1
c4a2e5ae DM	5
63324b09 DM	6	# default policy for host rules
	7	policy_in: DROP
	8	policy_out: ACCEPT
	9
92e1209b AD	10	[ALIASES]
	11
	12	myserveralias 10.0.0.111
	13	mynetworkalias 10.0.0.0/24
	14
c4a2e5ae DM	15	[RULES]
c4a2e5ae DM	16
dba740a9	17	IN SSH(ACCEPT) -i vmbr0
c4a2e5ae	18
92e976b3 DM	19	[group group1]
92e976b3 DM	20
dba740a9 DM	21	IN ACCEPT -p tcp -dport 22
	22	OUT ACCEPT -p tcp -dport 80
	23	OUT ACCEPT -p icmp
92e976b3 DM	24
	25	[group group3]
	26
dba740a9 DM	27	IN ACCEPT -source 10.0.0.1
	28	IN ACCEPT -source 10.0.0.1-10.0.0.10
	29	IN ACCEPT -source 10.0.0.1,10.0.0.2,10.0.0.3
	30	IN ACCEPT -source +mynetgroup
	31	IN ACCEPT -source myserveralias
92e976b3	32
34cdedfa	33
936af352	34	[ipset myipset]
34cdedfa	35
2a052ee3 AD	36	192.168.0.1 #mycomment
2a052ee3 AD	37	172.16.0.10
34cdedfa	38	192.168.0.0/24
cbb5d6f3	39	! 10.0.0.0/8 #nomatch - needs kernel 3.7 or newer
92e1209b	40	mynetworkalias
88733a74 AD	41
	42	#global ipset blacklist
	43	[ipset blacklist]
	44
	45	10.0.0.8
8b41cf53	46	192.168.0.0/24