[OPTIONS]
+# enable firewall (cluster wide setting, default is disabled)
enable: 1
+# default policy for host rules
+policy_in: DROP
+policy_out: ACCEPT
+
[RULES]
IN SSH(ACCEPT) vmbr0
IN ACCEPT +mynetgroup
-[netgroup mynetgroup]
+[ipset myipset]
192.168.0.1 #mycomment
172.16.0.10
192.168.0.0/24
-! 10.0.0.0/8 #nomatch
+! 10.0.0.0/8 #nomatch - needs kernel 3.7 or newer