[pve-firewall.git] / debian / example / 100.fw

# Example VM firewall configuration

# VM specific firewall options
[OPTIONS]

# disable/enable the whole thing
enable: 1 

# disable/enable MAC address filter
macfilter: 0

# default policy
policy_in: DROP
policy_out: REJECT

# log dropped incoming connection
log_level_in: info

# disable log for outgoing connections
log_level_out: nolog

# enable DHCP
dhcp: 1

# enable ips
ips: 1

# specify nfqueue queues (optionnal)
#ips_queues: 0
ips_queues: 0:3


[RULES]

#TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT

IN SSH(ACCEPT) net0
IN SSH(ACCEPT) net0 # a comment
IN SSH(ACCEPT) net0 192.168.2.192  # only allow SSH from  192.168.2.192
IN SSH(ACCEPT) net0 10.0.0.1-10.0.0.10 #accept SSH for ip in range 10.0.0.1 to 10.0.0.10
IN SSH(ACCEPT) net0 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3
IN SSH(ACCEPT) net0 +mynetgroup   #accept ssh for netgroup mynetgroup

|IN SSH(ACCEPT) net0 # disabled rule

# add a security group
GROUP group1 net0

OUT DNS(ACCEPT) net0
OUT Ping(ACCEPT) net0
OUT SSH(ACCEPT)
Commit	Line	Data
	1	# Example VM firewall configuration
	2
	3	# VM specific firewall options
	4	[OPTIONS]
	5
	6	# disable/enable the whole thing
	7	enable: 1
	8
	9	# disable/enable MAC address filter
	10	macfilter: 0
	11
	12	# default policy
	13	policy_in: DROP
	14	policy_out: REJECT
	15
	16	# log dropped incoming connection
	17	log_level_in: info
	18
	19	# disable log for outgoing connections
	20	log_level_out: nolog
	21
	22	# enable DHCP
	23	dhcp: 1
	24
	25	# enable ips
	26	ips: 1
	27
	28	# specify nfqueue queues (optionnal)
	29	#ips_queues: 0
	30	ips_queues: 0:3
	31
	32
	33	[RULES]
	34
	35	#TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
	36
	37	IN SSH(ACCEPT) net0
	38	IN SSH(ACCEPT) net0 # a comment
	39	IN SSH(ACCEPT) net0 192.168.2.192 # only allow SSH from 192.168.2.192
	40	IN SSH(ACCEPT) net0 10.0.0.1-10.0.0.10 #accept SSH for ip in range 10.0.0.1 to 10.0.0.10
	41	IN SSH(ACCEPT) net0 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3
	42	IN SSH(ACCEPT) net0 +mynetgroup #accept ssh for netgroup mynetgroup
	43
	44	\|IN SSH(ACCEPT) net0 # disabled rule
	45
	46	# add a security group
	47	GROUP group1 net0
	48
	49	OUT DNS(ACCEPT) net0
	50	OUT Ping(ACCEPT) net0
	51	OUT SSH(ACCEPT)
	52
	53
	54