]> git.proxmox.com Git - pve-firewall.git/blame - example/100.fw
projects / pve-firewall.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
start cluster wide firewall API
[pve-firewall.git] / example / 100.fw
CommitLineData
ec6b1100 1# Example VM firewall configuration
41b6fef1 2
7e8b8ae7
AD		 3# VM specific firewall options
4[OPTIONS]
41b6fef1
DM		 5
6# disable/enable the whole thing
7enable: 1
8
9# disable/enable MAC address filter
10macfilter: 0
11
12# default policy
72f63fde
DM		 13policy_in: DROP
14policy_out: REJECT
41b6fef1 15
178a63be
DM		 16# log dropped incoming connection
17log_level_in: info
18
19# disable log for outgoing connections
20log_level_out: nolog
21
4ac863a6
DM		 22# disable SMURFS filter
23nosmurfs: 0
41b6fef1
DM		 24
25# filter illegal combinations of TCP flags
26tcpflags: 1
27
28# enable DHCP
29dhcp: 1
30
b47ecc88
AD		 31# enable ips
32ips: 1
33
34# specify nfqueue queues (optionnal)
35#ips_queues: 0
36ips_queues: 0:3
37
ec6b1100 38
92e976b3 39[RULES]
ec6b1100 40
92e976b3 41#TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
41b6fef1 42
92e976b3
DM		 43IN SSH(ACCEPT) net0
44IN SSH(ACCEPT) net0 # a comment
45IN SSH(ACCEPT) net0 192.168.2.192 # only allow SSH from 192.168.2.192
46|IN SSH(ACCEPT) net0 # disabled rule
ec6b1100 47
92e976b3
DM		 48# add a security group
49GROUP group1 net0
ec6b1100 50
92e976b3
DM		 51OUT DNS(ACCEPT) net0
52OUT Ping(ACCEPT) net0
53OUT SSH(ACCEPT)
ec6b1100
DM		 54
55
56
Firewall test scripts