[pve-firewall.git] / example / host.fw

# /etc/pve/local/host.fw

[OPTIONS]

enable: 0
tcp_flags_log_level: info
smurf_log_level: nolog
log_level_in: info
log_level_out: info

# default policy
policy_in: DROP
policy_out: ACCEPT

# allow more connections (default is 65536)
nf_conntrack_max: 196608

# Enable firewall when bridges contains IP address.
# The firewall is not fully functional in that case, so
# you need to enable that explicitly
allow_bridge_route: 1

# disable SMURFS filter
nosmurfs: 0

# filter illegal combinations of TCP flags
tcpflags: 1

# rules processing speed optimizations 
optimize : 1

[RULES]

IN  SSH(ACCEPT) net0
OUT SSH(ACCEPT) net0
Commit	Line	Data
	1	# /etc/pve/local/host.fw
	2
	3	[OPTIONS]
	4
	5	enable: 0
	6	tcp_flags_log_level: info
	7	smurf_log_level: nolog
	8	log_level_in: info
	9	log_level_out: info
	10
	11	# default policy
	12	policy_in: DROP
	13	policy_out: ACCEPT
	14
	15	# allow more connections (default is 65536)
	16	nf_conntrack_max: 196608
	17
	18	# Enable firewall when bridges contains IP address.
	19	# The firewall is not fully functional in that case, so
	20	# you need to enable that explicitly
	21	allow_bridge_route: 1
	22
	23	# disable SMURFS filter
	24	nosmurfs: 0
	25
	26	# filter illegal combinations of TCP flags
	27	tcpflags: 1
	28
	29	# rules processing speed optimizations
	30	optimize : 1
	31
	32	[RULES]
	33
	34	IN SSH(ACCEPT) net0
	35	OUT SSH(ACCEPT) net0