]>
Commit | Line | Data |
---|---|---|
ec6b1100 | 1 | # Example VM firewall configuration |
41b6fef1 | 2 | |
7e8b8ae7 AD |
3 | # VM specific firewall options |
4 | [OPTIONS] | |
41b6fef1 DM |
5 | |
6 | # disable/enable the whole thing | |
7 | enable: 1 | |
8 | ||
9 | # disable/enable MAC address filter | |
10 | macfilter: 0 | |
11 | ||
12 | # default policy | |
72f63fde DM |
13 | policy_in: DROP |
14 | policy_out: REJECT | |
41b6fef1 | 15 | |
178a63be DM |
16 | # log dropped incoming connection |
17 | log_level_in: info | |
18 | ||
19 | # disable log for outgoing connections | |
20 | log_level_out: nolog | |
21 | ||
4ac863a6 DM |
22 | # disable SMURFS filter |
23 | nosmurfs: 0 | |
41b6fef1 DM |
24 | |
25 | # filter illegal combinations of TCP flags | |
26 | tcpflags: 1 | |
27 | ||
28 | # enable DHCP | |
29 | dhcp: 1 | |
30 | ||
b47ecc88 AD |
31 | # enable ips |
32 | ips: 1 | |
33 | ||
34 | # specify nfqueue queues (optionnal) | |
35 | #ips_queues: 0 | |
36 | ips_queues: 0:3 | |
37 | ||
ec6b1100 | 38 | |
92e976b3 | 39 | [RULES] |
ec6b1100 | 40 | |
92e976b3 | 41 | #TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT |
41b6fef1 | 42 | |
92e976b3 DM |
43 | IN SSH(ACCEPT) net0 |
44 | IN SSH(ACCEPT) net0 # a comment | |
45 | IN SSH(ACCEPT) net0 192.168.2.192 # only allow SSH from 192.168.2.192 | |
46 | |IN SSH(ACCEPT) net0 # disabled rule | |
ec6b1100 | 47 | |
92e976b3 DM |
48 | # add a security group |
49 | GROUP group1 net0 | |
ec6b1100 | 50 | |
92e976b3 DM |
51 | OUT DNS(ACCEPT) net0 |
52 | OUT Ping(ACCEPT) net0 | |
53 | OUT SSH(ACCEPT) | |
ec6b1100 DM |
54 | |
55 | ||
56 |