# Example VM firewall configuration

# VM specific firewall options
[OPTIONS]

# disable/enable the whole thing
enable: 1 

# disable/enable MAC address filter
macfilter: 0

# limit layer2 specific protocols
layer2_protocols: ARP,802_1Q,IPX,NetBEUI,PPP

# default policy
policy_in: DROP
policy_out: REJECT

# log dropped incoming connection
log_level_in: info

# disable log for outgoing connections
log_level_out: nolog

# enable DHCP
dhcp: 1

# enable ips
ips: 1

# specify nfqueue queues (optionnal)
#ips_queues: 0
ips_queues: 0:3

[IPSET ipfilter-net0] # only allow specified IPs on net0
192.168.2.10

[RULES]

#TYPE ACTION [OPTIONS]
# -i      <INTERFACE>
# -source <SOURCE>
# -dest   <DEST>
# -p      <PROTOCOL>
# -dport  <DESTINATION_PORT>
# -sport  <SOURCE_PORT>

IN SSH(ACCEPT) -i net0
IN SSH(ACCEPT) -i net0 # a comment
IN SSH(ACCEPT) -i net0 -source 192.168.2.192  # only allow SSH from  192.168.2.192
IN SSH(ACCEPT) -i net0 -source 10.0.0.1-10.0.0.10 #accept SSH for ip in range 10.0.0.1 to 10.0.0.10
IN SSH(ACCEPT) -i net0 -source 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3
IN SSH(ACCEPT) -i net0 -source +mynetgroup   #accept ssh for ipset mynetgroup
IN SSH(ACCEPT) -i net0 -source myserveralias   #accept ssh for alias myserveralias
IN SSH(ACCEPT) -i net0 -source FE80:0000:0000:0000:0202:B3FF:FE1E:8329
IN ACCEPT -i net0 -p icmpv6

|IN SSH(ACCEPT) -i net0 # disabled rule

# add a security group
GROUP group1 -i net0

OUT DNS(ACCEPT) -i net0
OUT Ping(ACCEPT) -i net0
OUT SSH(ACCEPT)