projects / pve-firewall.git / blame
| Commit | Line | Data |
|---|---|---|
| c4a2e5ae DM |
1 | [OPTIONS] |
| 2 | ||
| 51e57fee | 3 | # enable firewall (cluster wide setting, default is disabled) |
| c4a2e5ae DM |
4 | enable: 1 |
| 5 | ||
| 63324b09 DM |
6 | # default policy for host rules |
| 7 | policy_in: DROP | |
| 8 | policy_out: ACCEPT | |
| 9 | ||
| 92e1209b AD |
10 | [ALIASES] |
| 11 | ||
| 12 | myserveralias 10.0.0.111 | |
| 13 | mynetworkalias 10.0.0.0/24 | |
| a2dbb47b AD |
14 | myserveraliasipv6 2001:db8:0:85a3:0:0:ac1f:8001 |
| 15 | myserveraliasipv6short 2001:db8:0:85a3::ac1f:8001 | |
| 16 | ||
| 92e1209b | 17 | |
| c4a2e5ae DM |
18 | [RULES] |
| 19 | ||
| dba740a9 | 20 | IN SSH(ACCEPT) -i vmbr0 |
| c4a2e5ae | 21 | |
| 92e976b3 DM |
22 | [group group1] |
| 23 | ||
| dba740a9 DM |
24 | IN ACCEPT -p tcp -dport 22 |
| 25 | OUT ACCEPT -p tcp -dport 80 | |
| 26 | OUT ACCEPT -p icmp | |
| 92e976b3 DM |
27 | |
| 28 | [group group3] | |
| 29 | ||
| dba740a9 DM |
30 | IN ACCEPT -source 10.0.0.1 |
| 31 | IN ACCEPT -source 10.0.0.1-10.0.0.10 | |
| 32 | IN ACCEPT -source 10.0.0.1,10.0.0.2,10.0.0.3 | |
| 33 | IN ACCEPT -source +mynetgroup | |
| 34 | IN ACCEPT -source myserveralias | |
| a2dbb47b AD |
35 | IN ACCEPT -source myserveraliasipv6 |
| 36 | IN ACCEPT -source 2001:db8:0:85a3:0:0:ac1f:8001 | |
| 34cdedfa | 37 | |
| 936af352 | 38 | [ipset myipset] |
| 34cdedfa | 39 | |
| 2a052ee3 AD |
40 | 192.168.0.1 #mycomment |
| 41 | 172.16.0.10 | |
| 34cdedfa | 42 | 192.168.0.0/24 |
| cbb5d6f3 | 43 | ! 10.0.0.0/8 #nomatch - needs kernel 3.7 or newer |
| 92e1209b | 44 | mynetworkalias |
| a2dbb47b AD |
45 | 2001:db8:0:85a3::ac1f:8001 |
| 46 | 2001:db8:0:85a3:0:0:ac1f:8002 | |
| 88733a74 AD |
47 | |
| 48 | #global ipset blacklist | |
| 49 | [ipset blacklist] | |
| 50 | ||
| 51 | 10.0.0.8 | |
| 8b41cf53 | 52 | 192.168.0.0/24 |
| a2dbb47b | 53 | 2001:db8:0:85a3:0:0:ac1f:8001 |