+# /etc/pve/local/host.fw
+
+[OPTIONS]
+
+enable: 0
+tcp_flags_log_level: info
+smurf_log_level: nolog
+log_level_in: info
+log_level_out: info
+
+# allow more connections (default is 65536)
+nf_conntrack_max: 196608
+
+# reduce conntrack established timeout (default is 432000 - 5days)
+nf_conntrack_tcp_timeout_established: 7875
+
+# Enable firewall when bridges contains IP address.
+# The firewall is not fully functional in that case, so
+# you need to enable that explicitly
+allow_bridge_route: 1
+
+# disable SMURFS filter
+nosmurfs: 0
+
+# filter illegal combinations of TCP flags
+tcpflags: 1
+
+# rules processing speed optimizations
+optimize : 1
+
+[RULES]
+
+IN SSH(ACCEPT) net0
+OUT SSH(ACCEPT) net0
projects / pve-firewall.git / blobdiff