+[OPTIONS]
+
+# enable firewall (cluster wide setting, default is disabled)
+enable: 1
+
+# default policy for host rules
+policy_in: DROP
+policy_out: ACCEPT
+
+[RULES]
+
+IN SSH(ACCEPT) vmbr0
+
[group group1]
IN ACCEPT - - tcp 22 -
[group group3]
IN ACCEPT 10.0.0.1
-IN ACCEPT 10.0.0.2
-IN ACCEPT 10.0.0.2
-
-
-#ipset hash:ip
-[ipgroup ipgroup1]
-
-192.168.0.1
-192.168.0.2
-192.168.0.3
-
-
-[ipgroup ipgroup2]
+IN ACCEPT 10.0.0.1-10.0.0.10
+IN ACCEPT 10.0.0.1,10.0.0.2,10.0.0.3
+IN ACCEPT +mynetgroup
-192.168.0.3
-192.168.0.4
-#ipset hash:net
-[netgroup netgroup1]
+[ipset myipset]
+192.168.0.1 #mycomment
+172.16.0.10
192.168.0.0/24
-10.0.0.0/8
+! 10.0.0.0/8 #nomatch - needs kernel 3.7 or newer