]>
Commit | Line | Data |
---|---|---|
1 | [OPTIONS] | |
2 | ||
3 | # enable firewall (cluster wide setting, default is disabled) | |
4 | enable: 1 | |
5 | ||
6 | # default policy for host rules | |
7 | policy_in: DROP | |
8 | policy_out: ACCEPT | |
9 | ||
10 | [ALIASES] | |
11 | ||
12 | myserveralias 10.0.0.111 | |
13 | mynetworkalias 10.0.0.0/24 | |
14 | ||
15 | [RULES] | |
16 | ||
17 | IN SSH(ACCEPT) vmbr0 | |
18 | ||
19 | [group group1] | |
20 | ||
21 | IN ACCEPT - - tcp 22 - | |
22 | OUT ACCEPT - - tcp 80 - | |
23 | OUT ACCEPT - - icmp - - | |
24 | ||
25 | [group group3] | |
26 | ||
27 | IN ACCEPT 10.0.0.1 | |
28 | IN ACCEPT 10.0.0.1-10.0.0.10 | |
29 | IN ACCEPT 10.0.0.1,10.0.0.2,10.0.0.3 | |
30 | IN ACCEPT +mynetgroup | |
31 | IN ACCEPT myserveralias | |
32 | ||
33 | ||
34 | [ipset myipset] | |
35 | ||
36 | 192.168.0.1 #mycomment | |
37 | 172.16.0.10 | |
38 | 192.168.0.0/24 | |
39 | ! 10.0.0.0/8 #nomatch - needs kernel 3.7 or newer | |
40 | mynetworkalias | |
41 | ||
42 | #global ipset blacklist | |
43 | [ipset blacklist] | |
44 | ||
45 | 10.0.0.8 | |
46 | 192.168.0./24 |