split compile to compile_iptables_filter
[pve-firewall.git] / debian / example / cluster.fw
1 [OPTIONS]
2
3 # enable firewall (cluster wide setting, default is disabled)
4 enable: 1
5
6 # default policy for host rules
7 policy_in: DROP
8 policy_out: ACCEPT
9
10 [ALIASES]
11
12 myserveralias 10.0.0.111
13 mynetworkalias 10.0.0.0/24
14
15 [RULES]
16
17 IN SSH(ACCEPT) -i vmbr0
18
19 [group group1]
20
21 IN ACCEPT -p tcp -dport 22
22 OUT ACCEPT -p tcp -dport 80
23 OUT ACCEPT -p icmp
24
25 [group group3]
26
27 IN ACCEPT -source 10.0.0.1
28 IN ACCEPT -source 10.0.0.1-10.0.0.10
29 IN ACCEPT -source 10.0.0.1,10.0.0.2,10.0.0.3
30 IN ACCEPT -source +mynetgroup
31 IN ACCEPT -source myserveralias
32
33
34 [ipset myipset]
35
36 192.168.0.1 #mycomment
37 172.16.0.10
38 192.168.0.0/24
39 ! 10.0.0.0/8 #nomatch - needs kernel 3.7 or newer
40 mynetworkalias
41
42 #global ipset blacklist
43 [ipset blacklist]
44
45 10.0.0.8
46 192.168.0.0/24