example/host.fw

   1 # /etc/pve/local/host.fw
   2
   3 [OPTIONS]
   4
   5 enable: 0
   6 tcp_flags_log_level: info
   7 smurf_log_level: nolog
   8 log_level_in: info
   9 log_level_out: info
  10
  11 # default policy
  12 policy_in: DROP
  13 policy_out: ACCEPT
  14
  15 # allow more connections (default is 65536)
  16 nf_conntrack_max: 196608
  17
  18 # reduce conntrack established timeout (default is 432000 - 5days)
  19 nf_conntrack_tcp_timeout_established: 7875
  20
  21 # Enable firewall when bridges contains IP address.
  22 # The firewall is not fully functional in that case, so
  23 # you need to enable that explicitly
  24 allow_bridge_route: 1
  25
  26 # disable SMURFS filter
  27 nosmurfs: 0
  28
  29 # filter illegal combinations of TCP flags
  30 tcpflags: 1
  31
  32 # rules processing speed optimizations
  33 optimize : 1
  34
  35 [RULES]
  36
  37 IN  SSH(ACCEPT) net0
  38 OUT SSH(ACCEPT) net0