3 # enable firewall (cluster wide setting, default is disabled)
6 # default policy for host rules
12 myserveralias 10.0.0.111
13 mynetworkalias 10.0.0.0/24
14 myserveraliasipv6 2001:db8:0:85a3:0:0:ac1f:8001
15 myserveraliasipv6short 2001:db8:0:85a3::ac1f:8001
20 IN SSH(ACCEPT) -i vmbr0
24 IN ACCEPT -p tcp -dport 22
25 OUT ACCEPT -p tcp -dport 80
30 IN ACCEPT -source 10.0.0.1
31 IN ACCEPT -source 10.0.0.1-10.0.0.10
32 IN ACCEPT -source 10.0.0.1,10.0.0.2,10.0.0.3
33 IN ACCEPT -source +mynetgroup
34 IN ACCEPT -source myserveralias
35 IN ACCEPT -source myserveraliasipv6
36 IN ACCEPT -source 2001:db8:0:85a3:0:0:ac1f:8001
40 192.168.0.1 #mycomment
43 ! 10.0.0.0/8 #nomatch - needs kernel 3.7 or newer
45 2001:db8:0:85a3::ac1f:8001
46 2001:db8:0:85a3:0:0:ac1f:8002
48 #global ipset blacklist
53 2001:db8:0:85a3:0:0:ac1f:8001