compile ebtables rules
[pve-firewall.git] / debian / example / 100.fw
1 # Example VM firewall configuration
2
3 # VM specific firewall options
4 [OPTIONS]
5
6 # disable/enable the whole thing
7 enable: 1
8
9 # disable/enable MAC address filter
10 macfilter: 0
11
12 # limit layer2 specific protocols
13 layer2_protocols: ARP,802_1Q,IPX,NetBEUI,PPP
14
15 # default policy
16 policy_in: DROP
17 policy_out: REJECT
18
19 # log dropped incoming connection
20 log_level_in: info
21
22 # disable log for outgoing connections
23 log_level_out: nolog
24
25 # enable DHCP
26 dhcp: 1
27
28 # enable ips
29 ips: 1
30
31 # specify nfqueue queues (optionnal)
32 #ips_queues: 0
33 ips_queues: 0:3
34
35 [IPSET ipfilter-net0] # only allow specified IPs on net0
36 192.168.2.10
37
38 [RULES]
39
40 #TYPE ACTION [OPTIONS]
41 # -i <INTERFACE>
42 # -source <SOURCE>
43 # -dest <DEST>
44 # -p <PROTOCOL>
45 # -dport <DESTINATION_PORT>
46 # -sport <SOURCE_PORT>
47
48 IN SSH(ACCEPT) -i net0
49 IN SSH(ACCEPT) -i net0 # a comment
50 IN SSH(ACCEPT) -i net0 -source 192.168.2.192 # only allow SSH from 192.168.2.192
51 IN SSH(ACCEPT) -i net0 -source 10.0.0.1-10.0.0.10 #accept SSH for ip in range 10.0.0.1 to 10.0.0.10
52 IN SSH(ACCEPT) -i net0 -source 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3
53 IN SSH(ACCEPT) -i net0 -source +mynetgroup #accept ssh for ipset mynetgroup
54 IN SSH(ACCEPT) -i net0 -source myserveralias #accept ssh for alias myserveralias
55 IN SSH(ACCEPT) -i net0 -source FE80:0000:0000:0000:0202:B3FF:FE1E:8329
56 IN ACCEPT -i net0 -p icmpv6
57
58 |IN SSH(ACCEPT) -i net0 # disabled rule
59
60 # add a security group
61 GROUP group1 -i net0
62
63 OUT DNS(ACCEPT) -i net0
64 OUT Ping(ACCEPT) -i net0
65 OUT SSH(ACCEPT)
66
67
68