[pve-firewall.git] / example / 100.fw

# Example VM firewall configuration

[OPTIONS] # VM specific firewall options

# disable/enable the whole thing
enable: 1 

# disable/enable MAC address filter
macfilter: 0

# default policy
policy-in: DROP
policy-out: REJECT

# log dropped incoming connection
log_level_in: info

# disable log for outgoing connections
log_level_out: nolog

# filter SMURFS
nosmurfs: 1

# filter illegal combinations of TCP flags
tcpflags: 1

# enable DHCP
dhcp: 1


[IN]

#ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT

SSH(ACCEPT) net0
SSH(ACCEPT) net0 # a comment
SSH(ACCEPT) net0 192.168.2.192  # only allow SSH from  192.168.2.192
|SSH(ACCEPT) net0 # disbaled rule

[OUT]


DNS(ACCEPT) net0
Ping(ACCEPT) net0
SSH(ACCEPT)
Commit	Line	Data
ec6b1100	1	# Example VM firewall configuration
41b6fef1 DM	2
	3	[OPTIONS] # VM specific firewall options
	4
	5	# disable/enable the whole thing
	6	enable: 1
	7
	8	# disable/enable MAC address filter
	9	macfilter: 0
	10
	11	# default policy
	12	policy-in: DROP
	13	policy-out: REJECT
	14
178a63be DM	15	# log dropped incoming connection
	16	log_level_in: info
	17
	18	# disable log for outgoing connections
	19	log_level_out: nolog
	20
41b6fef1 DM	21	# filter SMURFS
	22	nosmurfs: 1
	23
	24	# filter illegal combinations of TCP flags
	25	tcpflags: 1
	26
	27	# enable DHCP
	28	dhcp: 1
	29
ec6b1100	30
ec6b1100 DM	31	[IN]
ec6b1100 DM	32
41b6fef1 DM	33	#ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
	34
	35	SSH(ACCEPT) net0
	36	SSH(ACCEPT) net0 # a comment
	37	SSH(ACCEPT) net0 192.168.2.192 # only allow SSH from 192.168.2.192
	38	\|SSH(ACCEPT) net0 # disbaled rule
ec6b1100 DM	39
	40	[OUT]
	41
	42
	43	DNS(ACCEPT) net0
	44	Ping(ACCEPT) net0
	45	SSH(ACCEPT)
	46
	47
	48