[pve-firewall.git] / debian / example / host.fw

# /etc/pve/local/host.fw

[OPTIONS]

enable: 0
tcp_flags_log_level: info
smurf_log_level: nolog
log_level_in: info
log_level_out: info

# allow more connections (default is 65536)
nf_conntrack_max: 196608

# reduce conntrack established timeout (default is 432000 - 5days)
nf_conntrack_tcp_timeout_established: 7875

# Enable firewall when bridges contains IP address.
# The firewall is not fully functional in that case, so
# you need to enable that explicitly
allow_bridge_route: 1

# disable SMURFS filter
nosmurfs: 0

# filter illegal combinations of TCP flags
tcpflags: 1

# rules processing speed optimizations 
optimize : 1

[RULES]

IN  SSH(ACCEPT) net0
OUT SSH(ACCEPT) net0
Commit	Line	Data
2d404ffc DM	1	# /etc/pve/local/host.fw
	2
	3	[OPTIONS]
	4
	5	enable: 0
	6	tcp_flags_log_level: info
	7	smurf_log_level: nolog
178a63be DM	8	log_level_in: info
178a63be DM	9	log_level_out: info
72f63fde	10
530c005e	11	# allow more connections (default is 65536)
1ec3e3d0	12	nf_conntrack_max: 196608
2d404ffc	13
28c082a1 AD	14	# reduce conntrack established timeout (default is 432000 - 5days)
	15	nf_conntrack_tcp_timeout_established: 7875
	16
530c005e DM	17	# Enable firewall when bridges contains IP address.
	18	# The firewall is not fully functional in that case, so
	19	# you need to enable that explicitly
	20	allow_bridge_route: 1
92e976b3	21
4ac863a6 DM	22	# disable SMURFS filter
	23	nosmurfs: 0
	24
11f12eae DM	25	# filter illegal combinations of TCP flags
	26	tcpflags: 1
	27
cc10e5d7 AD	28	# rules processing speed optimizations
	29	optimize : 1
	30
92e976b3 DM	31	[RULES]
	32
	33	IN SSH(ACCEPT) net0
	34	OUT SSH(ACCEPT) net0