[pve-firewall.git] / example / 100.fw

# Example VM firewall configuration

[OPTIONS] # VM specific firewall options

# disable/enable the whole thing
enable: 1 

# disable/enable MAC address filter
macfilter: 0

# default policy
policy_in: DROP
policy_out: REJECT

# log dropped incoming connection
log_level_in: info

# disable log for outgoing connections
log_level_out: nolog

# filter SMURFS
nosmurfs: 1

# filter illegal combinations of TCP flags
tcpflags: 1

# enable DHCP
dhcp: 1


[RULES]

#TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT

IN SSH(ACCEPT) net0
IN SSH(ACCEPT) net0 # a comment
IN SSH(ACCEPT) net0 192.168.2.192  # only allow SSH from  192.168.2.192
|IN SSH(ACCEPT) net0 # disabled rule

# add a security group
GROUP group1 net0

OUT DNS(ACCEPT) net0
OUT Ping(ACCEPT) net0
OUT SSH(ACCEPT)
Commit	Line	Data
	1	# Example VM firewall configuration
	2
	3	[OPTIONS] # VM specific firewall options
	4
	5	# disable/enable the whole thing
	6	enable: 1
	7
	8	# disable/enable MAC address filter
	9	macfilter: 0
	10
	11	# default policy
	12	policy_in: DROP
	13	policy_out: REJECT
	14
	15	# log dropped incoming connection
	16	log_level_in: info
	17
	18	# disable log for outgoing connections
	19	log_level_out: nolog
	20
	21	# filter SMURFS
	22	nosmurfs: 1
	23
	24	# filter illegal combinations of TCP flags
	25	tcpflags: 1
	26
	27	# enable DHCP
	28	dhcp: 1
	29
	30
	31	[RULES]
	32
	33	#TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
	34
	35	IN SSH(ACCEPT) net0
	36	IN SSH(ACCEPT) net0 # a comment
	37	IN SSH(ACCEPT) net0 192.168.2.192 # only allow SSH from 192.168.2.192
	38	\|IN SSH(ACCEPT) net0 # disabled rule
	39
	40	# add a security group
	41	GROUP group1 net0
	42
	43	OUT DNS(ACCEPT) net0
	44	OUT Ping(ACCEPT) net0
	45	OUT SSH(ACCEPT)
	46
	47
	48