--- /dev/null
+[OPTIONS]
+
+# enable firewall (cluster wide setting, default is disabled)
+enable: 1
+
+# default policy for host rules
+policy_in: DROP
+policy_out: ACCEPT
+
+[RULES]
+
+IN SSH(ACCEPT) vmbr0
+
+[group group1]
+
+IN ACCEPT - - tcp 22 -
+OUT ACCEPT - - tcp 80 -
+OUT ACCEPT - - icmp - -
+
+[group group3]
+
+IN ACCEPT 10.0.0.1
+IN ACCEPT 10.0.0.1-10.0.0.10
+IN ACCEPT 10.0.0.1,10.0.0.2,10.0.0.3
+IN ACCEPT +mynetgroup
+
+
+[ipset myipset]
+
+192.168.0.1 #mycomment
+172.16.0.10
+192.168.0.0/24
+! 10.0.0.0/8 #nomatch - needs kernel 3.7 or newer
+