# Example VM firewall configuration
-#ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
-# ACTION: shorewall action
-# IFACE: vm network interface (net0 - net5), or '-' for all interfaces
-# SOURCE: source IP address, or '-' for any source
-# DEST: dest IP address, or '-' for any destination address
-# PROTO: see /etc/protocols
-# D-PORT: destination port
-# S-PORT: source port
+# VM specific firewall options
+[OPTIONS]
-[IN]
+# disable/enable the whole thing
+enable: 1
-SSH(ACCEPT) net0 192.168.2.192 -
+# disable/enable MAC address filter
+macfilter: 0
-[OUT]
+# default policy
+policy_in: DROP
+policy_out: REJECT
+# log dropped incoming connection
+log_level_in: info
-DNS(ACCEPT) net0
-Ping(ACCEPT) net0
-SSH(ACCEPT)
+# disable log for outgoing connections
+log_level_out: nolog
+
+# disable SMURFS filter
+nosmurfs: 0
+
+# filter illegal combinations of TCP flags
+tcpflags: 1
+
+# enable DHCP
+dhcp: 1
+
+# enable ips
+ips: 1
+
+# specify nfqueue queues (optionnal)
+#ips_queues: 0
+ips_queues: 0:3
+
+
+[RULES]
+
+#TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
+
+IN SSH(ACCEPT) net0
+IN SSH(ACCEPT) net0 # a comment
+IN SSH(ACCEPT) net0 192.168.2.192 # only allow SSH from 192.168.2.192
+|IN SSH(ACCEPT) net0 # disabled rule
+
+# add a security group
+GROUP group1 net0
+
+OUT DNS(ACCEPT) net0
+OUT Ping(ACCEPT) net0
+OUT SSH(ACCEPT)
projects / pve-firewall.git / blobdiff