[pve-firewall.git] / example / 100.fw

# Example VM firewall configuration

# VM specific firewall options
[OPTIONS]

# disable/enable the whole thing
enable: 1 

# disable/enable MAC address filter
macfilter: 0

# default policy
policy_in: DROP
policy_out: REJECT

# log dropped incoming connection
log_level_in: info

# disable log for outgoing connections
log_level_out: nolog

# disable SMURFS filter
nosmurfs: 0

# filter illegal combinations of TCP flags
tcpflags: 1

# enable DHCP
dhcp: 1


[RULES]

#TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT

IN SSH(ACCEPT) net0
IN SSH(ACCEPT) net0 # a comment
IN SSH(ACCEPT) net0 192.168.2.192  # only allow SSH from  192.168.2.192
|IN SSH(ACCEPT) net0 # disabled rule

# add a security group
GROUP group1 net0

OUT DNS(ACCEPT) net0
OUT Ping(ACCEPT) net0
OUT SSH(ACCEPT)
Commit	Line	Data
	1	# Example VM firewall configuration
	2
	3	# VM specific firewall options
	4	[OPTIONS]
	5
	6	# disable/enable the whole thing
	7	enable: 1
	8
	9	# disable/enable MAC address filter
	10	macfilter: 0
	11
	12	# default policy
	13	policy_in: DROP
	14	policy_out: REJECT
	15
	16	# log dropped incoming connection
	17	log_level_in: info
	18
	19	# disable log for outgoing connections
	20	log_level_out: nolog
	21
	22	# disable SMURFS filter
	23	nosmurfs: 0
	24
	25	# filter illegal combinations of TCP flags
	26	tcpflags: 1
	27
	28	# enable DHCP
	29	dhcp: 1
	30
	31
	32	[RULES]
	33
	34	#TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
	35
	36	IN SSH(ACCEPT) net0
	37	IN SSH(ACCEPT) net0 # a comment
	38	IN SSH(ACCEPT) net0 192.168.2.192 # only allow SSH from 192.168.2.192
	39	\|IN SSH(ACCEPT) net0 # disabled rule
	40
	41	# add a security group
	42	GROUP group1 net0
	43
	44	OUT DNS(ACCEPT) net0
	45	OUT Ping(ACCEPT) net0
	46	OUT SSH(ACCEPT)
	47
	48
	49