fix call to register_restart_command (set $use_hup to true)
[pve-firewall.git] / debian / example / cluster.fw
1 [OPTIONS]
2
3 # enable firewall (cluster wide setting, default is disabled)
4 enable: 1
5
6 # default policy for host rules
7 policy_in: DROP
8 policy_out: ACCEPT
9
10 [ALIASES]
11
12 myserveralias 10.0.0.111
13 mynetworkalias 10.0.0.0/24
14 myserveraliasipv6 2001:db8:0:85a3:0:0:ac1f:8001
15 myserveraliasipv6short 2001:db8:0:85a3::ac1f:8001
16
17
18 [RULES]
19
20 IN SSH(ACCEPT) -i vmbr0
21
22 [group group1]
23
24 IN ACCEPT -p tcp -dport 22
25 OUT ACCEPT -p tcp -dport 80
26 OUT ACCEPT -p icmp
27
28 [group group3]
29
30 IN ACCEPT -source 10.0.0.1
31 IN ACCEPT -source 10.0.0.1-10.0.0.10
32 IN ACCEPT -source 10.0.0.1,10.0.0.2,10.0.0.3
33 IN ACCEPT -source +mynetgroup
34 IN ACCEPT -source myserveralias
35 IN ACCEPT -source myserveraliasipv6
36 IN ACCEPT -source 2001:db8:0:85a3:0:0:ac1f:8001
37
38 [ipset myipset]
39
40 192.168.0.1 #mycomment
41 172.16.0.10
42 192.168.0.0/24
43 ! 10.0.0.0/8 #nomatch - needs kernel 3.7 or newer
44 mynetworkalias
45 2001:db8:0:85a3::ac1f:8001
46 2001:db8:0:85a3:0:0:ac1f:8002
47
48 #global ipset blacklist
49 [ipset blacklist]
50
51 10.0.0.8
52 192.168.0.0/24
53 2001:db8:0:85a3:0:0:ac1f:8001