debian/example/cluster.fw

   1 [OPTIONS]
   2
   3 # enable firewall (cluster wide setting, default is disabled)
   4 enable: 1
   5
   6 # default policy for host rules
   7 policy_in: DROP
   8 policy_out: ACCEPT
   9
  10 [ALIASES]
  11
  12 myserveralias 10.0.0.111
  13 mynetworkalias 10.0.0.0/24
  14 myserveraliasipv6 2001:db8:0:85a3:0:0:ac1f:8001
  15 myserveraliasipv6short 2001:db8:0:85a3::ac1f:8001
  16
  17
  18 [RULES]
  19
  20 IN  SSH(ACCEPT) -i vmbr0
  21
  22 [group group1]
  23
  24 IN  ACCEPT -p tcp -dport 22
  25 OUT ACCEPT -p tcp -dport 80
  26 OUT ACCEPT -p icmp
  27
  28 [group group3]
  29
  30 IN  ACCEPT -source 10.0.0.1
  31 IN  ACCEPT -source 10.0.0.1-10.0.0.10
  32 IN  ACCEPT -source 10.0.0.1,10.0.0.2,10.0.0.3
  33 IN  ACCEPT -source +mynetgroup
  34 IN  ACCEPT -source myserveralias
  35 IN  ACCEPT -source myserveraliasipv6
  36 IN  ACCEPT -source 2001:db8:0:85a3:0:0:ac1f:8001
  37
  38 [ipset myipset]
  39
  40 192.168.0.1 #mycomment
  41 172.16.0.10
  42 192.168.0.0/24
  43 ! 10.0.0.0/8  #nomatch - needs kernel 3.7 or newer
  44 mynetworkalias
  45 2001:db8:0:85a3::ac1f:8001
  46 2001:db8:0:85a3:0:0:ac1f:8002
  47
  48 #global ipset blacklist
  49 [ipset blacklist]
  50
  51 10.0.0.8
  52 192.168.0.0/24
  53 2001:db8:0:85a3:0:0:ac1f:8001