[pve-firewall.git] / example / cluster.fw

[OPTIONS]

enable: 1

# default policy for host rules
policy_in: DROP
policy_out: ACCEPT

[RULES]

IN  SSH(ACCEPT) vmbr0

[group group1]

IN  ACCEPT - - tcp 22 -
OUT ACCEPT - - tcp 80 -
OUT ACCEPT - - icmp - -

[group group3]

IN  ACCEPT 10.0.0.1 
IN  ACCEPT 10.0.0.1-10.0.0.10
IN  ACCEPT 10.0.0.1,10.0.0.2,10.0.0.3
IN  ACCEPT +mynetgroup 


[ipset myipset]

192.168.0.1 #mycomment
172.16.0.10
192.168.0.0/24
! 10.0.0.0/8  #nomatch - needs kernel 3.7 or newer
Commit	Line	Data
c4a2e5ae DM	1	[OPTIONS]
	2
	3	enable: 1
	4
63324b09 DM	5	# default policy for host rules
	6	policy_in: DROP
	7	policy_out: ACCEPT
	8
c4a2e5ae DM	9	[RULES]
	10
	11	IN SSH(ACCEPT) vmbr0
	12
92e976b3 DM	13	[group group1]
	14
	15	IN ACCEPT - - tcp 22 -
	16	OUT ACCEPT - - tcp 80 -
	17	OUT ACCEPT - - icmp - -
	18
	19	[group group3]
	20
	21	IN ACCEPT 10.0.0.1
ba791b1f AD	22	IN ACCEPT 10.0.0.1-10.0.0.10
	23	IN ACCEPT 10.0.0.1,10.0.0.2,10.0.0.3
	24	IN ACCEPT +mynetgroup
92e976b3	25
34cdedfa	26
936af352	27	[ipset myipset]
34cdedfa	28
2a052ee3 AD	29	192.168.0.1 #mycomment
2a052ee3 AD	30	172.16.0.10
34cdedfa	31	192.168.0.0/24
cbb5d6f3	32	! 10.0.0.0/8 #nomatch - needs kernel 3.7 or newer
34cdedfa	33