[pve-firewall.git] / example / 100.fw

# Example VM firewall configuration

[OPTIONS] # VM specific firewall options

# disable/enable the whole thing
enable: 1 

# disable/enable MAC address filter
macfilter: 0

# default policy
policy_in: DROP
policy_out: REJECT

# log dropped incoming connection
log_level_in: info

# disable log for outgoing connections
log_level_out: nolog

# filter SMURFS
nosmurfs: 1

# filter illegal combinations of TCP flags
tcpflags: 1

# enable DHCP
dhcp: 1


[RULES]

#TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT

IN SSH(ACCEPT) net0
IN SSH(ACCEPT) net0 # a comment
IN SSH(ACCEPT) net0 192.168.2.192  # only allow SSH from  192.168.2.192
|IN SSH(ACCEPT) net0 # disabled rule

# add a security group
GROUP group1 net0

OUT DNS(ACCEPT) net0
OUT Ping(ACCEPT) net0
OUT SSH(ACCEPT)
Commit	Line	Data
ec6b1100	1	# Example VM firewall configuration
41b6fef1 DM	2
	3	[OPTIONS] # VM specific firewall options
	4
	5	# disable/enable the whole thing
	6	enable: 1
	7
	8	# disable/enable MAC address filter
	9	macfilter: 0
	10
	11	# default policy
72f63fde DM	12	policy_in: DROP
72f63fde DM	13	policy_out: REJECT
41b6fef1	14
178a63be DM	15	# log dropped incoming connection
	16	log_level_in: info
	17
	18	# disable log for outgoing connections
	19	log_level_out: nolog
	20
41b6fef1 DM	21	# filter SMURFS
	22	nosmurfs: 1
	23
	24	# filter illegal combinations of TCP flags
	25	tcpflags: 1
	26
	27	# enable DHCP
	28	dhcp: 1
	29
ec6b1100	30
92e976b3	31	[RULES]
ec6b1100	32
92e976b3	33	#TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
41b6fef1	34
92e976b3 DM	35	IN SSH(ACCEPT) net0
	36	IN SSH(ACCEPT) net0 # a comment
	37	IN SSH(ACCEPT) net0 192.168.2.192 # only allow SSH from 192.168.2.192
	38	\|IN SSH(ACCEPT) net0 # disabled rule
ec6b1100	39
92e976b3 DM	40	# add a security group
92e976b3 DM	41	GROUP group1 net0
ec6b1100	42
92e976b3 DM	43	OUT DNS(ACCEPT) net0
	44	OUT Ping(ACCEPT) net0
	45	OUT SSH(ACCEPT)
ec6b1100 DM	46
	47
	48