example/host.fw

   1 # /etc/pve/local/host.fw
   2
   3 [OPTIONS]
   4
   5 enable: 0
   6 tcp_flags_log_level: info
   7 smurf_log_level: nolog
   8 log_level_in: info
   9 log_level_out: info
  10
  11 # allow more connections (default is 65536)
  12 nf_conntrack_max: 196608
  13
  14 # reduce conntrack established timeout (default is 432000 - 5days)
  15 nf_conntrack_tcp_timeout_established: 7875
  16
  17 # Enable firewall when bridges contains IP address.
  18 # The firewall is not fully functional in that case, so
  19 # you need to enable that explicitly
  20 allow_bridge_route: 1
  21
  22 # disable SMURFS filter
  23 nosmurfs: 0
  24
  25 # filter illegal combinations of TCP flags
  26 tcpflags: 1
  27
  28 # rules processing speed optimizations
  29 optimize : 1
  30
  31 [RULES]
  32
  33 IN  SSH(ACCEPT) net0
  34 OUT SSH(ACCEPT) net0