debian/example/cluster.fw

   1 [OPTIONS]
   2
   3 # enable firewall (cluster wide setting, default is disabled)
   4 enable: 1
   5
   6 # default policy for host rules
   7 policy_in: DROP
   8 policy_out: ACCEPT
   9
  10 [ALIASES]
  11
  12 myserveralias 10.0.0.111
  13 mynetworkalias 10.0.0.0/24
  14
  15 [RULES]
  16
  17 IN  SSH(ACCEPT) -i vmbr0
  18
  19 [group group1]
  20
  21 IN  ACCEPT -p tcp -dport 22
  22 OUT ACCEPT -p tcp -dport 80
  23 OUT ACCEPT -p icmp
  24
  25 [group group3]
  26
  27 IN  ACCEPT -source 10.0.0.1
  28 IN  ACCEPT -source 10.0.0.1-10.0.0.10
  29 IN  ACCEPT -source 10.0.0.1,10.0.0.2,10.0.0.3
  30 IN  ACCEPT -source +mynetgroup
  31 IN  ACCEPT -source myserveralias
  32
  33
  34 [ipset myipset]
  35
  36 192.168.0.1 #mycomment
  37 172.16.0.10
  38 192.168.0.0/24
  39 ! 10.0.0.0/8  #nomatch - needs kernel 3.7 or newer
  40 mynetworkalias
  41
  42 #global ipset blacklist
  43 [ipset blacklist]
  44
  45 10.0.0.8
  46 192.168.0.0/24